Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
admin | Microsoft 365 Copilot Usage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage.md | You can view several numbers for Copilot for Microsoft 365 usage, which highligh :::image type="content" alt-text="Screenshot showing Microsoft 365 Copilot usage summary information." source="../../media/copilot-usage-numbers.png"::: -**Enabled Users** shows you total number of unique users in your organization with Copilot for Microsoft 365 licenses over the selected time period. +**Enabled Users** shows the total number of unique users in your organization with Copilot for Microsoft 365 licenses over the selected time period. -**Active Users** shows you total number of enabled users in your organization who tried a user-initiated Copilot for Microsoft 365 feature, in one or more Microsoft 365 apps over the selected time period. +**Active Users** shows the total number of enabled users in your organization who tried a user-initiated Copilot for Microsoft 365 feature, in one or more Microsoft 365 apps over the selected time period. > [!NOTE] > A user is considered active in a given app if they performed an intentional action for an AI-powered capability. For example, if a user selects the Copilot icon in the Word ribbon to open the Copilot chat pane, this does not count towards active usage. However, if the user interacts with the chat pane by submitting a prompt, this action would count towards active usage. To make the data in the Copilot for Microsoft 365 report anonymous, you must be 2. Select **Reports**, and then choose to **Display anonymous identifiers**. This setting gets applied both to the usage reports in Microsoft 365 admin center and Teams admin center. 3. Select **Save changes**.++## FAQ ++### What's the difference between the user activity table and audit log? ++The information captured in audit log records differs from that in [Microsoft 365 usage reports](#user-last-activity-table). It's important to note that audit logs are not designed for assessing user engagement in Microsoft 365, and they should not be used should not be used to replace or augment information in Microsoft 365 usage reports. To learn more about audit logs, see [Export, configure, and view audit log records](/purview/audit-log-export-records#step-1-export-audit-log-search-results). |
enterprise | External Domain Name System Records | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/external-domain-name-system-records.md | An email system that receives an email from your domain looks at the SPF record. For scenarios where you're not just using Exchange Online email for Office 365 (for example, when you use email originating from SharePoint Online as well), use the following table to determine what to include in the value of the record. > [!NOTE]-> If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you'll have a more detailed SPF record to set up. Learn how: [Set up SPF records in Office 365 to help prevent spoofing](../security/office-365-security/email-authentication-spf-configure.md). You can also learn much more about how SPF works with Office 365 by reading [How Office 365 uses Sender Policy Framework (SPF) to help prevent spoofing](../security/office-365-security/email-authentication-anti-spoofing.md). +> If you have a complicated scenario that includes, for example, edge email servers for managing email traffic across your firewall, you'll have a more detailed SPF record to set up. For more information, see [Set up SPF records in Office 365 to help prevent spoofing](../security/office-365-security/email-authentication-spf-configure.md). |Number|If you're using...|Purpose|Add these includes| ||||| |
enterprise | Tenant Roadmap Microsoft 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/tenant-roadmap-microsoft-365.md | f1.keywords: Previously updated : 02/08/2024 Last updated : 02/12/2024 audience: ITPro To get your tenant ready for user, groups, licenses, and cloud apps, it's critic ## Set up your Microsoft 365 tenant -After ensuring that your networking is optimized for access to Microsoft 365 for both on-premises and remote workers, your next big tasks are planning for and then configuring your Microsoft 365 tenant for DNS domain names, common services, and for that identity infrastructure that supports secure user sign-in. +Before you begin planning your network for Microsoft 365 network connectivity, it's important to understand the connectivity principles for securely managing Microsoft 365 traffic and getting the best possible performance. Ensure that your networking is optimized for access to Microsoft 365 for both on-premises and remote workers by [understanding and planning for Microsoft 365 network optimization](microsoft-365-network-connectivity-principles.md). ++Your next big tasks are planning for and then configuring your Microsoft 365 tenant for DNS domain names, common services, and for that identity infrastructure that supports secure user sign-in. ### Plan To plan for your tenant implementation: ### Deploy -To deploy your tenant: +To deploy your tenant: - Add the [DNS domains](../admin/setup/add-domain.md) for your organization. - Use the [setup guides in the Microsoft 365 admin center](setup-guides-for-microsoft-365.md). Microsoft continues to open new datacenter geographic locations (geos) for Micro For more information, see [Moving core data to new Microsoft 365 datacenter geos](moving-data-to-new-datacenter-geos.md). - ## Deploy Microsoft 365 Multi-Geo With Microsoft 365 Multi-Geo, your organization can expand its Microsoft 365 presence to multiple geographic regions and/or countries within your existing tenant. For more information, see [Microsoft 365 Multi-Geo](microsoft-365-multi-geo.md). -## Manage multiple Microsoft 365 tenants +## Manage multiple Microsoft 365 tenants Although having a single tenant for your organization is ideal, you may be one of many organizations that have multiple tenants. Reasons can include mergers and acquisitions, you want administrative isolation, or you have a decentralized IT. |
includes | Microsoft 365 Content Updates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-content-updates.md | +## Week of February 05, 2024 +++| Published On |Topic title | Change | +|||--| +| 2/5/2024 | [Use network protection to help prevent connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide) | modified | +| 2/5/2024 | [Other endpoints not included in the Microsoft 365 IP Address and URL Web service](/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls?view=o365-worldwide) | modified | +| 2/5/2024 | [Microsoft 365 IP Address and URL web service](/microsoft-365/enterprise/microsoft-365-ip-web-service?view=o365-worldwide) | modified | +| 2/5/2024 | [Microsoft 365 US Government DOD endpoints](/microsoft-365/enterprise/microsoft-365-u-s-government-dod-endpoints?view=o365-worldwide) | modified | +| 2/5/2024 | [Microsoft 365 U.S. Government GCC High endpoints](/microsoft-365/enterprise/microsoft-365-u-s-government-gcc-high-endpoints?view=o365-worldwide) | modified | +| 2/5/2024 | [URLs and IP address ranges for Microsoft 365 operated by 21Vianet](/microsoft-365/enterprise/urls-and-ip-address-ranges-21vianet?view=o365-worldwide) | modified | +| 2/5/2024 | [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) | modified | +| 2/6/2024 | [Manage the join experience for Teams Virtual Appointments on browsers](/microsoft-365/frontline/browser-join?view=o365-worldwide) | modified | +| 2/6/2024 | [Allow cookies for LMS URLs in your browser](/microsoft-365/lti/browser-cookies?view=o365-worldwide) | modified | +| 2/6/2024 | Microsoft Defender for Endpoint Block at First Sight (BAFS) demonstration | removed | +| 2/6/2024 | [What's new in Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-worldwide) | modified | +| 2/6/2024 | [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Configure anti-malware policies](/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Configure anti-phishing policies in EOP](/microsoft-365/security/office-365-security/anti-phishing-policies-eop-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Configure anti-phishing policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Configure spam filter policies](/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Microsoft Defender for Office 365 permissions in the Microsoft Defender portal](/microsoft-365/security/office-365-security/mdo-portal-permissions?view=o365-worldwide) | modified | +| 2/6/2024 | [Configure outbound spam policies](/microsoft-365/security/office-365-security/outbound-spam-policies-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide) | modified | +| 2/6/2024 | [Quarantine policies](/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide) | modified | +| 2/6/2024 | [Set up Safe Attachments policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Set up Safe Links policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Use Microsoft Defender for Office 365 in SharePoint Online](/microsoft-365/security/office-365-security/step-by-step-guides/utilize-microsoft-defender-for-office-365-in-sharepoint-online?view=o365-worldwide) | modified | +| 2/6/2024 | [Allow or block email using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Allow or block files using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [User tags in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/user-tags-about?view=o365-worldwide) | modified | +| 2/6/2024 | [Pricing model for Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-pricing) | modified | +| 2/6/2024 | [Set up Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-setup) | modified | +| 2/7/2024 | [Detect and Remediate Illicit Consent Grants](/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide) | modified | +| 2/7/2024 | [Get started with Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/mdo-deployment-guide?view=o365-worldwide) | modified | +| 2/7/2024 | [Microsoft Defender for Office 365 permissions in the Microsoft Defender portal](/microsoft-365/security/office-365-security/mdo-portal-permissions?view=o365-worldwide) | modified | +| 2/7/2024 | [Continuous access evaluation for Microsoft 365 - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide) | modified | +| 2/7/2024 | [Common Zero Trust identity and device access policies - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-common?view=o365-worldwide) | modified | +| 2/7/2024 | [Zero Trust identity and device access configurations - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-overview?view=o365-worldwide) | modified | +| 2/7/2024 | [Prerequisite work for implementing Zero Trust identity and device access policies](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-prereq?view=o365-worldwide) | modified | +| 2/7/2024 | [How to configure Exchange Server on-premises to use Hybrid Modern Authentication](/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide) | modified | +| 2/7/2024 | [Data Residency for Exchange Online](/microsoft-365/enterprise/m365-dr-workload-exo?view=o365-worldwide) | modified | +| 2/7/2024 | [View Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/view-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified | +| 2/7/2024 | [Frontline team collaboration](/microsoft-365/frontline/flw-team-collaboration?view=o365-worldwide) | modified | +| 2/7/2024 | [Microsoft 365 for Financial Services](/microsoft-365/frontline/teams-for-financial-services?view=o365-worldwide) | modified | +| 2/7/2024 | [Microsoft 365 for Manufacturing](/microsoft-365/frontline/teams-for-manufacturing?view=o365-worldwide) | modified | +| 2/7/2024 | [Microsoft 365 for retail organizations](/microsoft-365/frontline/teams-for-retail-landing-page?view=o365-worldwide) | modified | +| 2/7/2024 | [Microsoft Defender for Endpoint demonstration scenarios](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstrations?view=o365-worldwide) | modified | +| 2/7/2024 | [Configure apps using Microsoft Intune](/microsoft-365/solutions/apps-config-overview?view=o365-worldwide) | modified | +| 2/7/2024 | [Step 1. Configure the Company Portal](/microsoft-365/solutions/apps-config-step-1?view=o365-worldwide) | modified | +| 2/7/2024 | [Step 3. Configure Microsoft 365](/microsoft-365/solutions/apps-config-step-3?view=o365-worldwide) | modified | +| 2/7/2024 | [Step 4. Configure Microsoft Edge](/microsoft-365/solutions/apps-config-step-4?view=o365-worldwide) | modified | +| 2/7/2024 | [Step 5. Configure Microsoft Teams](/microsoft-365/solutions/apps-config-step-5?view=o365-worldwide) | modified | +| 2/7/2024 | [Step 6. Configure other apps](/microsoft-365/solutions/apps-config-step-6?view=o365-worldwide) | modified | +| 2/7/2024 | [Feature update validation](/microsoft-365/test-base/feature?view=o365-worldwide) | modified | +| 2/8/2024 | Industry collaboration programs | removed | +| 2/8/2024 | [Manage submissions](/microsoft-365/security/office-365-security/submissions-admin?view=o365-worldwide) | modified | +| 2/8/2024 | [Troubleshoot a signature request for SharePoint eSignature](/microsoft-365/syntex/esignature-troubleshoot) | modified | +| 2/8/2024 | [Remove Microsoft 365 licenses from user accounts with PowerShell](/microsoft-365/enterprise/remove-licenses-from-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified | +| 2/9/2024 | [Manage Office Scripts settings](/microsoft-365/admin/manage/manage-office-scripts-settings?view=o365-worldwide) | modified | +| 2/9/2024 | [Review detected threats using the Microsoft Defender for Endpoint Antivirus and Intune integration](/microsoft-365/security/defender-endpoint/review-detected-threats?view=o365-worldwide) | added | +| 2/9/2024 | Manage self-service purchases and organizational trials for Microsoft Project | removed | +| 2/9/2024 | [Resources for Microsoft Defender for Endpoint for mobile devices](/microsoft-365/security/defender-endpoint/mobile-resources-defender-endpoint?view=o365-worldwide) | modified | +| 2/9/2024 | [Run the client analyzer on macOS or Linux](/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-worldwide) | modified | ++ ## Week of January 29, 2024 | 1/19/2024 | [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide) | modified | | 1/19/2024 | [Configure general Defender for Endpoint settings](/microsoft-365/security/defender-endpoint/preferences-setup?view=o365-worldwide) | modified | | 1/19/2024 | [Overview of Microsoft Syntex](/microsoft-365/syntex/syntex-overview) | modified |---## Week of January 01, 2024 ---| Published On |Topic title | Change | -|||--| -| 1/2/2024 | [What's new in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365-whats-new?view=o365-worldwide) | modified | -| 1/2/2024 | [Change your endpoint security subscription](/microsoft-365/security/defender-business/mdb-manage-subscription?view=o365-worldwide) | added | -| 1/2/2024 | [Create a more secure guest sharing environment](/microsoft-365/solutions/create-secure-guest-sharing-environment?view=o365-worldwide) | modified | -| 1/2/2024 | [Configure spam filter policies](/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide) | modified | -| 4/20/2023 | [Remove a former employee - Overview](/microsoft-365/admin/add-users/remove-former-employee?view=o365-worldwide) | modified | -| 4/20/2023 | [Set an individual user's password to never expire](/microsoft-365/admin/add-users/set-password-to-never-expire?view=o365-worldwide) | modified | -| 4/20/2023 | [Microsoft 365 Experience insights dashboard](/microsoft-365/admin/misc/experience-insights-dashboard?view=o365-worldwide) | modified | -| 4/20/2023 | [What's new in the Microsoft 365 admin center?](/microsoft-365/admin/whats-new-in-preview?view=o365-worldwide) | modified | -| 4/20/2023 | [Set up and configure Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-setup-configuration?view=o365-worldwide) | modified | -| 4/20/2023 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified | -| 4/20/2023 | [Migrate to Microsoft Defender for Endpoint - Onboard](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3?view=o365-worldwide) | modified | -| 4/20/2023 | [How Microsoft names threat actors](/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide) | modified | -| 4/20/2023 | [Configure spam filter policies](/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide) | modified | -| 4/20/2023 | [Configure outbound spam policies](/microsoft-365/security/office-365-security/outbound-spam-policies-configure?view=o365-worldwide) | modified | -| 4/20/2023 | [Set up Safe Attachments policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide) | modified | -| 4/20/2023 | [Set up Safe Links policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide) | modified | -| 4/20/2023 | [Manage clients for Microsoft Whiteboard in GCC High environments](/microsoft-365/whiteboard/manage-clients-gcc-high?view=o365-worldwide) | modified | -| 1/2/2024 | [Manage and monitor priority accounts](/microsoft-365/admin/setup/priority-accounts?view=o365-worldwide) | modified | -| 1/2/2024 | [Add several users at the same time to Microsoft 365 - Admin Help](/microsoft-365/enterprise/add-several-users-at-the-same-time?view=o365-worldwide) | modified | -| 1/2/2024 | [Specify the cloud protection level for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 1/2/2024 | [Configure teams with protection for highly sensitive data](/microsoft-365/solutions/configure-teams-highly-sensitive-protection?view=o365-worldwide) | modified | -| 1/2/2024 | [Basic Mobility and Security frequently-asked questions (FAQ)](/microsoft-365/admin/basic-mobility-security/frequently-asked-questions?view=o365-worldwide) | modified | -| 1/2/2024 | [Manage device access settings in Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/manage-device-access-settings?view=o365-worldwide) | modified | -| 1/2/2024 | [Upgrade your Office 2010 to Microsoft 365 - Microsoft 365 admin](/microsoft-365/admin/setup/upgrade-users-to-latest-office-client?view=o365-worldwide) | modified | -| 1/2/2024 | [Advanced deployment guidance for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment?view=o365-worldwide) | modified | -| 1/2/2024 | [Enable Conditional Access to better protect users, devices, and data](/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide) | modified | -| 1/2/2024 | [Configure device discovery](/microsoft-365/security/defender-endpoint/configure-device-discovery?view=o365-worldwide) | modified | -| 1/2/2024 | [Configure exclusions for files opened by specific processes](/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 1/2/2024 | [Configure Microsoft Defender Antivirus exclusions on Windows Server](/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 1/2/2024 | [Configure vulnerability email notifications in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-vulnerability-email-notifications?view=o365-worldwide) | modified | -| 1/2/2024 | [Device discovery frequently asked questions](/microsoft-365/security/defender-endpoint/device-discovery-faq?view=o365-worldwide) | modified | -| 1/2/2024 | [Device discovery overview](/microsoft-365/security/defender-endpoint/device-discovery?view=o365-worldwide) | modified | -| 1/2/2024 | [Enable attack surface reduction rules](/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide) | modified | -| 1/2/2024 | [Turn on exploit protection to help mitigate against attacks](/microsoft-365/security/defender-endpoint/enable-exploit-protection?view=o365-worldwide) | modified | -| 1/2/2024 | [Exploit protection reference](/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide) | modified | -| 1/2/2024 | [Apply mitigations to help prevent attacks through vulnerabilities](/microsoft-365/security/defender-endpoint/exploit-protection?view=o365-worldwide) | modified | -| 1/2/2024 | [Become a Microsoft Defender for Endpoint partner](/microsoft-365/security/defender-endpoint/get-started-partner-integration?view=o365-worldwide) | modified | -| 1/2/2024 | [Investigate connection events that occur behind forward proxies](/microsoft-365/security/defender-endpoint/investigate-behind-proxy?view=o365-worldwide) | modified | -| 1/2/2024 | [Investigate a user account in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/investigate-user?view=o365-worldwide) | modified | -| 1/2/2024 | [Set preferences for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-preferences?view=o365-worldwide) | modified | -| 1/2/2024 | [Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm?view=o365-worldwide) | modified | -| 1/2/2024 | [Set preferences for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-worldwide) | modified | -| 1/2/2024 | [Create indicators](/microsoft-365/security/defender-endpoint/manage-indicators?view=o365-worldwide) | modified | -| 1/2/2024 | [Migrating servers from Microsoft Defender for Endpoint to Microsoft Defender for Cloud](/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud?view=o365-worldwide) | modified | -| 1/2/2024 | [Network device discovery and vulnerability management](/microsoft-365/security/defender-endpoint/network-devices?view=o365-worldwide) | modified | -| 1/2/2024 | [Troubleshoot Microsoft Defender for Endpoint service issues](/microsoft-365/security/defender-endpoint/troubleshoot-mdatp?view=o365-worldwide) | modified | -| 1/2/2024 | [Troubleshoot Microsoft Defender for Endpoint onboarding issues](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide) | modified | -| 1/2/2024 | [Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt?view=o365-worldwide) | modified | -| 1/2/2024 | [Zero Trust with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/zero-trust-with-microsoft-defender-endpoint?view=o365-worldwide) | added | -| 1/2/2024 | [Block vulnerable applications](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps?view=o365-worldwide) | modified | -| 1/2/2024 | [Create and view exceptions for security recommendations](/microsoft-365/security/defender-vulnerability-management/tvm-exception?view=o365-worldwide) | modified | -| 1/2/2024 | [Remediate vulnerabilities](/microsoft-365/security/defender-vulnerability-management/tvm-remediation?view=o365-worldwide) | modified | -| 1/2/2024 | [BehaviorEntities table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-behaviorentities-table?view=o365-worldwide) | added | -| 1/2/2024 | [BehaviorInfo table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-behaviorinfo-table?view=o365-worldwide) | added | -| 1/2/2024 | [Zero Trust with Microsoft 365 Defender](/microsoft-365/security/defender/zero-trust-with-microsoft-365-defender?view=o365-worldwide) | modified | -| 1/2/2024 | [Zero Trust deployment plan with Microsoft 365](/microsoft-365/security/microsoft-365-zero-trust?view=o365-worldwide) | modified | -| 1/2/2024 | [Remediation actions in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/air-remediation-actions?view=o365-worldwide) | modified | -| 1/2/2024 | [How EOP validates the From address to prevent phishing](/microsoft-365/security/office-365-security/anti-phishing-from-email-address-validation?view=o365-worldwide) | modified | -| 1/2/2024 | [Attack simulation training deployment considerations and FAQ](/microsoft-365/security/office-365-security/attack-simulation-training-faq?view=o365-worldwide) | modified | -| 1/2/2024 | [Create safe sender lists](/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide) | modified | -| 1/2/2024 | [Detect and remediate the Outlook rules and custom forms injections attacks.](/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide) | modified | -| 1/2/2024 | [Microsoft Defender for Office 365 email entity page](/microsoft-365/security/office-365-security/mdo-email-entity-page?view=o365-worldwide) | modified | -| 1/2/2024 | [Zero Trust with Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/zero-trust-with-microsoft-365-defender-office-365?view=o365-worldwide) | added | -| 1/2/2024 | [Secure your business data with Microsoft 365 for business](/microsoft-365/business-premium/secure-your-business-data?view=o365-worldwide) | modified | -| 1/2/2024 | [End-user notifications for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-end-user-notifications?view=o365-worldwide) | modified | -| 1/2/2024 | [Get started using Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-worldwide) | modified | -| 1/2/2024 | [Insights and reports Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-insights?view=o365-worldwide) | modified | -| 1/2/2024 | [Landing pages in Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-landing-pages?view=o365-worldwide) | added | -| 1/2/2024 | [Login pages in Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-login-pages?view=o365-worldwide) | modified | -| 1/2/2024 | [Payload automations for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payload-automations?view=o365-worldwide) | modified | -| 1/2/2024 | [Payloads in Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide) | modified | -| 1/2/2024 | [Simulation automations for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide) | modified | -| 1/2/2024 | [Simulate a phishing attack with Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-simulations?view=o365-worldwide) | modified | -| 1/2/2024 | [Training campaigns in Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-training-campaigns?view=o365-worldwide) | modified | -| 1/2/2024 | [Microsoft Defender for Office 365 support for Microsoft Teams (Preview)](/microsoft-365/security/office-365-security/mdo-support-teams-about?view=o365-worldwide) | modified | -| 1/2/2024 | [Configure teams with protection for sensitive data](/microsoft-365/solutions/configure-teams-sensitive-protection?view=o365-worldwide) | modified | -| 1/2/2024 | [Cross-tenant mailbox migration](/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide) | modified | -| 1/2/2024 | [Get started with Microsoft 365 for healthcare organizations](/microsoft-365/frontline/teams-in-hc?view=o365-worldwide) | modified | -| 1/2/2024 | [Microsoft 365 admin center Office activations reports](/microsoft-365/admin/activity-reports/microsoft-office-activations-ww?view=o365-worldwide) | modified | -| 1/2/2024 | [Centralized Deployment FAQ](/microsoft-365/admin/manage/centralized-deployment-faq?view=o365-worldwide) | modified | -| 1/2/2024 | [Determine if Centralized Deployment of add-ins works for your organization](/microsoft-365/admin/manage/centralized-deployment-of-add-ins?view=o365-worldwide) | modified | -| 1/2/2024 | [Test and deploy Microsoft 365 Apps by partners in the Integrated apps portal](/microsoft-365/admin/manage/test-and-deploy-microsoft-365-apps?view=o365-worldwide) | modified | -| 1/2/2024 | [Plan your setup of Microsoft 365 for business](/microsoft-365/admin/setup/plan-your-setup?view=o365-worldwide) | modified | -| 1/2/2024 | [Performing Bulk SharePoint site Cross-tenant migrations (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-bulk-site-migration?view=o365-worldwide) | added | -| 1/2/2024 | [SharePoint Cross-tenant SharePoint migration FAQs (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-faqs?view=o365-worldwide) | added | -| 1/2/2024 | [SharePoint Cross-tenant SharePoint migration Step 1 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step1?view=o365-worldwide) | added | -| 1/2/2024 | [SharePoint Cross-tenant SharePoint migration Step 2 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step2?view=o365-worldwide) | added | -| 1/2/2024 | [SharePoint Cross-tenant SharePoint migration Step 3 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step3?view=o365-worldwide) | added | -| 1/2/2024 | [SharePoint Cross-tenant SharePoint migration Step 4 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step4?view=o365-worldwide) | added | -| 1/2/2024 | [SharePoint Cross-tenant SharePoint migration Step 5 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step5?view=o365-worldwide) | added | -| 1/2/2024 | [SharePoint site Cross-tenant SharePoint migration Step 6 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step6?view=o365-worldwide) | added | -| 1/2/2024 | [SharePoint Cross-Tenant User Data Migration Step 7 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step7?view=o365-worldwide) | added | -| 1/2/2024 | [Cross-tenant SharePoint site migration overview (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration?view=o365-worldwide) | added | -| 1/2/2024 | [Tailor Teams apps for your frontline workers](/microsoft-365/frontline/pin-teams-apps-based-on-license?view=o365-worldwide) | modified | -| 4/10/2023 | [Get started using Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-worldwide) | modified | -| 1/2/2024 | [Microsoft 365 admin center activity reports](/microsoft-365/admin/activity-reports/activity-reports?view=o365-worldwide) | modified | -| 1/2/2024 | [Download perpetual software and product license keys bought through the Cloud Solution Provider (CSP) program](/microsoft-365/admin/setup/download-software-licenses-csp?view=o365-worldwide) | modified | -| 1/2/2024 | [How to secure your business data with Microsoft 365](/microsoft-365/business-premium/secure-your-business-data?view=o365-worldwide) | modified | -| 1/2/2024 | [Manage auto-claim policies](/microsoft-365/commerce/licenses/manage-auto-claim-policies?view=o365-worldwide) | modified | -| 1/2/2024 | [Overview and Definitions](/microsoft-365/enterprise/m365-dr-overview?view=o365-worldwide) | modified | -| 1/2/2024 | [Microsoft 365 Network Insights](/microsoft-365/enterprise/office-365-network-mac-perf-insights?view=o365-worldwide) | modified | -| 1/2/2024 | [Set up and configure Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-setup-configuration?view=o365-worldwide) | modified | -| 1/2/2024 | [Onboard non-Windows devices to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/configure-endpoints-non-windows?view=o365-worldwide) | modified | -| 1/2/2024 | [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-worldwide) | modified | -| 1/2/2024 | [Turn pronouns on or off for your organization in the Microsoft 365 admin center](/microsoft-365/admin/add-users/turn-pronouns-on-or-off?view=o365-worldwide) | modified | -| 1/2/2024 | [Service advisories for auto-expanding archive utilization in Exchange Online monitoring](/microsoft-365/enterprise/microsoft-365-exo-archive-advisory?view=o365-worldwide) | modified | -| 1/2/2024 | [Printer Protection frequently asked questions](/microsoft-365/security/defender-endpoint/printer-protection-frequently-asked-questions?view=o365-worldwide) | modified | -| 1/2/2024 | [Schedule regular quick and full scans with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans?view=o365-worldwide) | modified | -| 1/2/2024 | [Investigate alerts in Microsoft 365 Defender](/microsoft-365/security/defender/investigate-alerts?view=o365-worldwide) | modified | -| 1/2/2024 | [Scenarios and use cases for Microsoft Syntex](/microsoft-365/syntex/adoption-scenarios) | modified | -| 1/2/2024 | [Document compliance with Microsoft Syntex](/microsoft-365/syntex/scenario-document-compliance) | added | -| 1/2/2024 | [Find content details with Microsoft Syntex](/microsoft-365/syntex/scenario-find-content-details) | added | -| 1/2/2024 | [Generate documents in bulk with Microsoft Syntex](/microsoft-365/syntex/scenario-generate-documents-bulk) | added | -| 1/2/2024 | [Automatically generate routine documents with Microsoft Syntex](/microsoft-365/syntex/scenario-generate-routine-documents) | added | -| 1/2/2024 | [Handle incoming documents with Microsoft Syntex](/microsoft-365/syntex/scenario-handle-incoming-documents) | added | -| 1/2/2024 | [Make information easier to find with Microsoft Syntex](/microsoft-365/syntex/scenario-organize-repositories) | added | -| 1/2/2024 | [Set up Microsoft 365 Business Premium](/microsoft-365/business-premium/m365-business-premium-setup?view=o365-worldwide) | renamed | -| 1/2/2024 | [Setup overview for Microsoft 365 for Campaigns](/microsoft-365/business-premium/m365-campaigns-setup?view=o365-worldwide) | modified | -| 1/2/2024 | [Why choose Microsoft 365 Business Premium? Productivity and security](/microsoft-365/business-premium/why-choose-microsoft-365-business-premium?view=o365-worldwide) | modified | -| 3/23/2023 | [Microsoft Teams SMS notifications usage report](/microsoft-365/frontline/sms-notifications-usage-report?view=o365-worldwide) | added | -| 3/23/2023 | [Overview of the Vulnerability management page in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-vulnerability-management-page-overview?view=o365-worldwide) | added | -| 3/23/2023 | [Requirements for Microsoft Defender for Business](/microsoft-365/security/defender-business/mdb-requirements?view=o365-worldwide) | modified | -| 3/23/2023 | [Deploy, manage, and report on Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 1/2/2024 | [Microsoft Defender Threat Intelligence in Microsoft 365 Defender](/microsoft-365/security/defender/defender-threat-intelligence?view=o365-worldwide) | added | -| 1/2/2024 | [Microsoft Defender for Office 365 support for Microsoft Teams (Preview)](/microsoft-365/security/office-365-security/mdo-support-teams-about?view=o365-worldwide) | added | -| 1/2/2024 | [Manage quarantined messages and files as an admin](/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files?view=o365-worldwide) | modified | -| 1/2/2024 | [User reported message settings in Teams](/microsoft-365/security/office-365-security/submissions-teams?view=o365-worldwide) | added | -| 1/2/2024 | [The Teams Message Entity Panel in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/teams-message-entity-panel?view=o365-worldwide) | added | -| 1/2/2024 | [Zero-hour auto purge in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide) | modified | -| 1/2/2024 | [Configure advanced features in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/advanced-features?view=o365-worldwide) | modified | -| 1/2/2024 | [Restore a deleted Microsoft 365 group](/microsoft-365/admin/create-groups/restore-deleted-group?view=o365-worldwide) | modified | -| 1/2/2024 | [Anti-spam message headers](/microsoft-365/security/office-365-security/message-headers-eop-mdo?view=o365-worldwide) | modified | -| 1/2/2024 | [Migrate to Microsoft Defender for Office 365 Phase 2: Setup](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-setup?view=o365-worldwide) | modified | -| 1/2/2024 | [Outbound delivery pools](/microsoft-365/security/office-365-security/outbound-spam-high-risk-delivery-pool-about?view=o365-worldwide) | modified | -| 1/2/2024 | [Step-by-step threat protection stack in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365?view=o365-worldwide) | modified | -| 1/2/2024 | [Threat Explorer and Real-time detections basics in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/real-time-detections?view=o365-worldwide) | modified | -| 1/2/2024 | [Remediate malicious email that was delivered in Office 365](/microsoft-365/security/office-365-security/remediate-malicious-email-delivered-office-365?view=o365-worldwide) | modified | -| 1/2/2024 | [Complete Safe Links overview for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide) | modified | -| 1/2/2024 | [Secure by default in Office 365](/microsoft-365/security/office-365-security/secure-by-default?view=o365-worldwide) | modified | -| 1/2/2024 | [Steps to quickly set up the Standard or Strict preset security policies for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies?view=o365-worldwide) | modified | -| 1/2/2024 | [Reduce the attack surface for Microsoft Teams](/microsoft-365/security/office-365-security/step-by-step-guides/reducing-attack-surface-in-microsoft-teams?view=o365-worldwide) | modified | -| 1/2/2024 | [Top 12 tasks for security teams to support working from home](/microsoft-365/security/top-security-tasks-for-remote-work?view=o365-worldwide) | modified | -| 1/2/2024 | [Frequently asked questions (FAQs) on tamper protection](/microsoft-365/security/defender-endpoint/faqs-on-tamper-protection?view=o365-worldwide) | added | -| 1/2/2024 | [Troubleshoot problems with tamper protection](/microsoft-365/security/defender-endpoint/troubleshoot-problems-with-tamper-protection?view=o365-worldwide) | added | -| 1/2/2024 | [Use the Microsoft 365 admin center to manage your Shifts connection to Blue Yonder Workforce Management (Preview)](/microsoft-365/frontline/shifts-connector-blue-yonder-admin-center-manage?view=o365-worldwide) | modified | -| 1/2/2024 | [Use the Microsoft 365 admin center to manage your Shifts connection to UKG Dimensions (Preview)](/microsoft-365/frontline/shifts-connector-ukg-admin-center-manage?view=o365-worldwide) | modified | -| 1/2/2024 | [Use PowerShell to manage your Shifts connection to UKG Dimensions](/microsoft-365/frontline/shifts-connector-ukg-powershell-manage?view=o365-worldwide) | modified | -| 1/2/2024 | [Use the Shifts connector wizard to connect Shifts to UKG Dimensions (Preview)](/microsoft-365/frontline/shifts-connector-wizard-ukg?view=o365-worldwide) | modified | -| 1/2/2024 | [Configure and validate Microsoft Defender Antivirus network connections](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 1/3/2024 | [How Microsoft names threat actors](/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide) | modified | -| 1/3/2024 | Create a B2B extranet with managed guests | removed | -| 1/3/2024 | [Best practices for unauthenticated sharing](/microsoft-365/solutions/best-practices-anonymous-sharing?view=o365-worldwide) | modified | -| 1/3/2024 | [Understand end-of-sale products in the Microsoft 365 admin center](/microsoft-365/commerce/subscriptions/understand-eos-products?view=o365-worldwide) | added | -| 1/3/2024 | [Integrate Microsoft Reflect LTI with D2L Brightspace](/microsoft-365/lti/reflect-lti-brightspace?view=o365-worldwide) | added | -| 1/3/2024 | [Integrate Microsoft Reflect LTI with Moodle](/microsoft-365/lti/reflect-lti-moodle?view=o365-worldwide) | added | -| 1/3/2024 | [Change your endpoint security subscription](/microsoft-365/security/defender-business/mdb-manage-subscription?view=o365-worldwide) | modified | -| 1/3/2024 | [Protect and govern personal data ΓÇô Microsoft Priva and Purview](/microsoft-365/solutions/data-privacy-protection-protect-govern?view=o365-worldwide) | modified | -| 1/3/2024 | [Stay on track with data privacy regulations ΓÇô Microsoft Priva and Purview](/microsoft-365/solutions/data-privacy-protection-regulations?view=o365-worldwide) | modified | -| 1/4/2024 | [Rerun queries in query history](/microsoft-365/security/defender/advanced-hunting-query-history?view=o365-worldwide) | added | -| 1/4/2024 | [Create custom Microsoft Defender XDR reports using Microsoft Graph security API and Power BI](/microsoft-365/security/defender/defender-xdr-custom-reports?view=o365-worldwide) | added | -| 1/4/2024 | [Work with advanced hunting query results in Microsoft Defender XDR](/microsoft-365/security/defender/advanced-hunting-query-results?view=o365-worldwide) | modified | -| 1/4/2024 | [Import roles to Microsoft Defender XDR Unified role-based access control (RBAC)](/microsoft-365/security/defender/import-rbac-roles?view=o365-worldwide) | modified | -| 1/4/2024 | [Try out Microsoft Syntex and explore its features](/microsoft-365/syntex/trial-syntex) | modified | -| 1/4/2024 | [Try out Microsoft Syntex and explore its services](/microsoft-365/syntex/promo-syntex) | renamed | -| 1/5/2024 | [Understand the Microsoft 365 E3 and E5 Extra Features license](/microsoft-365/commerce/licenses/e3-extra-features-licenses?view=o365-worldwide) | modified | -| 1/5/2024 | [Integrate Microsoft Reflect LTI with Blackboard Learn](/microsoft-365/lti/reflect-lti-blackboard?view=o365-worldwide) | added | -| 1/5/2024 | [What's new in Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-whatsnew?view=o365-worldwide) | modified | -| 1/5/2024 | [What's new in Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-whatsnew?view=o365-worldwide) | modified | -| 1/5/2024 | [Troubleshoot system extension issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-sys-ext?view=o365-worldwide) | modified | -| 1/5/2024 | [Appendices for ring deployment using Group Policy and Windows Server Update Services (WSUS)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-wsus-appendices?view=o365-worldwide) | modified | -| 1/5/2024 | [Migrate devices to use the streamlined onboarding method](/microsoft-365/security/defender-endpoint/migrate-devices-streamlined?view=o365-worldwide) | modified | -| 1/5/2024 | [Take response actions on a device in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide) | modified | -| 1/5/2024 | [Threat protection report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/threat-protection-reports?view=o365-worldwide) | modified | -| 1/5/2024 | [UEFI scanning in Defender for Endpoint](/microsoft-365/security/defender-endpoint/uefi-scanning-in-defender-for-endpoint?view=o365-worldwide) | modified | -| 1/5/2024 | [Connect Microsoft Sentinel to Microsoft Defender XDR (preview)](/microsoft-365/security/defender/microsoft-sentinel-onboard?view=o365-worldwide) | modified | -| 1/5/2024 | [Advanced hunting in multi-tenant management in Microsoft Defender XDR](/microsoft-365/security/defender/mto-advanced-hunting?view=o365-worldwide) | modified | -| 1/5/2024 | [Analyze your first incident in Microsoft Defender XDR](/microsoft-365/security/defender/respond-first-incident-analyze?view=o365-worldwide) | modified | -| 1/5/2024 | [Investigate malicious email that was delivered in Microsoft 365, Find and investigate malicious email](/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered?view=o365-worldwide) | modified | |
security | Limited Periodic Scanning Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus.md | Title: Enable the limited periodic Microsoft Defender Antivirus scanning feature description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers -keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable ms.mktglfcycl: manage ms.sitesec: library search.appverid: met150 **Platforms** - Windows -Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 or Windows 11 device. +> [!NOTE] +> **Microsoft does not support using this feature in Enterprise environments.** This feature only uses a limited subset of the Microsoft Defender Antivirus capabilities to detect malware, and can't detect most malware and potentially unwanted software. Management of the feature is not supported, the feature cannot be enabled or disabled through policies, and reporting capabilities are extremely limited. Microsoft recommends that enterprise orgnaizations choose a primary antivirus/antimalware solution, and use it exclusively. -It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md). --**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a limited subset of the Microsoft Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively. +Limited periodic scanning is a special type of threat detection and remediation that can be enabled when another antivirus product is installed on a Windows 10 or Windows 11 device. It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md). ## How to enable limited periodic scanning -By default, Microsoft Defender Antivirus will enable itself on a Windows 10 or a Windows 11 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly. --If Microsoft Defender Antivirus is enabled, the usual options will appear to configure it on that device: +By default, Microsoft Defender Antivirus enables itself on a Windows 10 or a Windows 11 device if there is no other antivirus product installed, or if the other product is out-of-date, expired, or not working correctly. If Microsoft Defender Antivirus is enabled, the usual options to configure it are available on that device: :::image type="content" source="images/vtp-wdav.png" alt-text="The Windows Security app showing Microsoft Defender Antivirus options, including scan options, settings, and update options" lightbox="images/vtp-wdav.png"::: -If another antivirus product is installed and working correctly, Microsoft Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options. --Underneath any third party AV products, a new link will appear as **Microsoft Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. Note that the limited periodic option is a toggle to enable or disable periodic scanning. +If another antivirus product is installed and working correctly, Microsoft Defender Antivirus disables itself. In this case, the Windows Security app changes the **Virus & threat protection** section to show status about the antivirus product, and provides a link to the product's configuration options. -Sliding the switch to **On** will show the standard Microsoft Defender Antivirus options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page. +Underneath the name of a non-Microsoft antivirus product, a link appears as **Microsoft Defender Antivirus options**. Select this link to show the toggle that enables limited periodic scanning. Note that the limited periodic option is a toggle to enable or disable periodic scanning. Sliding the switch to **On** shows the standard Microsoft Defender Antivirus options underneath the non-Microsoft antivirus product. The limited periodic scanning option will appear at the bottom of the page. ## Related articles |
security | Linux Install Manually | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md | This article describes how to deploy Microsoft Defender for Endpoint on Linux ma - [Prerequisites and system requirements](#prerequisites-and-system-requirements) - [Configure the Linux software repository](#configure-the-linux-software-repository)- - [RHEL and variants (CentOS, Fedora, Oracle Linux and Amazon Linux 2)](#rhel-and-variants-centos-fedora-oracle-linux-and-amazon-linux-2-1) + - [RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon Linux 2, Rocky and Alma)](#rhel-and-variants-centos-fedora-oracle-linux-amazon-linux-2-rocky-and-alma-1) - [SLES and variants](#sles-and-variants-1) - [Ubuntu and Debian systems](#ubuntu-and-debian-systems-1)+ - [Mariner](#mariner) - [Application installation](#application-installation)- - [RHEL and variants (CentOS, Fedora, Oracle Linux and Amazon Linux 2)](#rhel-and-variants-centos-fedora-oracle-linux-and-amazon-linux-2) + - [RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon Linux 2, Rocky and Alma)](#rhel-and-variants-centos-fedora-oracle-linux-amazon-linux-2-rocky-and-alma) - [SLES and variants](#sles-and-variants) - [Ubuntu and Debian systems](#ubuntu-and-debian-systems)+ - [Mariner](#mariner-1) - [Download the onboarding package](#download-the-onboarding-package) - [Client configuration](#client-configuration) Defender for Endpoint on Linux can be deployed from one of the following channel The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*. -In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. +In order to preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*. > [!WARNING] > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. Options: Read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/installation). -### RHEL and variants (CentOS, Fedora, Oracle Linux and Amazon Linux 2) +### RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon Linux 2, Rocky and Alma) - Install `yum-utils` if it isn't installed yet: Read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/inst |Distro & version|Package| |||+ |For Alma 9.2 and higher|<https://packages.microsoft.com/config/alma/9/prod.repo>| |For RHEL/Centos/Oracle 8.0-8.8|<https://packages.microsoft.com/config/rhel/8/prod.repo>| |For RHEL/Centos/Oracle 7.2-7.9 & Amazon Linux 2 |<https://packages.microsoft.com/config/rhel/7.2/prod.repo>| |For Amazon Linux 2023 |<https://packages.microsoft.com/config/amazonlinux/2023/prod.repo>| |For Fedora 33|<https://packages.microsoft.com/config/fedora/33/prod.repo>| |For Fedora 34|<https://packages.microsoft.com/config/fedora/34/prod.repo>|+ |For Rocky 8.7 and higher|<https://packages.microsoft.com/config/rocky/8/prod.repo>| <!--|For RHEL/Centos 6.7-6.10|<https://packages.microsoft.com/config/rhel/6/[channel].repo>|--> Read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/inst > [!TIP] > Use hostnamectl command to identify system related information including release *[version]*. - For example, if you are running CentOS 7 and want to deploy Defender for Endpoint on Linux from the *prod* channel: + For example, if you're running CentOS 7 and want to deploy Defender for Endpoint on Linux from the *prod* channel: ```bash sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/7/prod.repo Read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/inst > [!TIP] > Use SPident command to identify system related information including release *[version]*. - For example, if you are running SLES 12 and wish to deploy Microsoft Defender for Endpoint on Linux from the *prod* channel: + For example, if you're running SLES 12 and wish to deploy Microsoft Defender for Endpoint on Linux from the *prod* channel: ```bash sudo zypper addrepo -c -f -n microsoft-prod https://packages.microsoft.com/config/sles/12/prod.repo Read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/inst > [!TIP] > Use hostnamectl command to identify system related information including release *[version]*. - For example, if you are running Ubuntu 18.04 and wish to deploy Microsoft Defender for Endpoint on Linux from the *prod* channel: + For example, if you're running Ubuntu 18.04 and wish to deploy Microsoft Defender for Endpoint on Linux from the *prod* channel: ```bash curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/prod.list curl -sSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | su ```bash sudo apt-get update ```+### Mariner ++- Install `dnf-plugins-core` if it isn't installed yet: ++ ```bash + sudo dnf install dnf-plugins-core + ``` ++- Configure and Enable the required repositories ++ > [!NOTE] + > On Mariner, Insider Fast Channel is not available. ++ If you want to deploy Defender for Endpoint on Linux from the *prod* channel. Use the following commands + + ```bash + sudo dnf install mariner-repos-extras + sudo dnf config-manager --enable mariner-official-extras + ``` ++ Or if you wish to explore new features on selected devices, you might want to deploy Microsoft Defender for Endpoint on Linux to *insiders-slow* channel. Use the following commands: + + ```bash + sudo dnf install mariner-repos-extras-preview + sudo dnf config-manager --enable mariner-official-extras-preview + ``` ## Application installation -### RHEL and variants (CentOS, Fedora, Oracle Linux and Amazon Linux 2) +### RHEL and variants (CentOS, Fedora, Oracle Linux, Amazon Linux 2, Rocky and Alma) ```bash sudo yum install mdatp sudo apt -t bionic install mdatp > [!NOTE] > Reboots are NOT required after installing or updating Microsoft Defender for Endpoint on Linux except when you're running auditD in immutable mode. +### Mariner ++```bash +sudo dnf install mdatp +``` ++> [!NOTE] +> If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-slow` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. ++```bash +sudo dnf config-manager --disable mariner-official-extras-preview +sudo dnf config-manager --enable mariner-official-extras +``` + ## Download the onboarding package Download the onboarding package from Microsoft Defender portal. Download the onboarding package from Microsoft Defender portal. > [!NOTE] > To onboard a device that was previously offboarded you must remove the mdatp_offboard.json file located at /etc/opt/microsoft/mdatp. - If you're running RHEL 8.x or Ubuntu 20.04 or higher, you will need to use `python3`. + If you're running RHEL 8.x or Ubuntu 20.04 or higher, you'll need to use `python3`. ```bash sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py ``` - For the rest of distros and versions, you will need to use `python`. + For the rest of distros and versions, you'll need to use `python`. ```bash sudo python MicrosoftDefenderATPOnboardingLinuxServer.py Download the onboarding package from Microsoft Defender portal. mdatp health --field org_id ``` -4. Check the health status of the product by running the following command. A return value of `1` denotes that the product is functioning as expected: +4. Check the health status of the product by running the following command. A return value of `true` denotes that the product is functioning as expected: ```bash mdatp health --field healthy Download the onboarding package from Microsoft Defender portal. 5. Run an AV detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device: - - Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command): + - Ensure that real-time protection is enabled (denoted by a result of `true` from running the following command): ```bash mdatp health --field real_time_protection_enabled ``` - If it is not enabled, execute the following command: + If it isn't enabled, execute the following command: ```bash mdatp config real-time-protection --value enabled The following external package dependencies exist for the mdatp package: - The mdatp RPM package requires "glibc >= 2.17", "audit", "policycoreutils", "semanage" "selinux-policy-targeted", "mde-netfilter" - For RHEL6 the mdatp RPM package requires "audit", "policycoreutils", "libselinux", "mde-netfilter" - For DEBIAN the mdatp package requires "libc6 >= 2.23", "uuid-runtime", "auditd", "mde-netfilter"+- For Mariner the mdatp package requires "attr", "audit", "diffutils", "libacl", "libattr", "libselinux-utils", "selinux-policy", "policycoreutils", "mde-netfilter" The mde-netfilter package also has the following package dependencies: - For DEBIAN the mde-netfilter package requires "libnetfilter-queue1", "libglib2.0-0"-- for RPM the mde-netfilter package requires "libmnl", "libnfnetlink", "libnetfilter_queue", "glib2"+- For RPM the mde-netfilter package requires "libmnl", "libnfnetlink", "libnetfilter_queue", "glib2" +- For Mariner the mde-netfilter package requires "libnfnetlink", "libnetfilter_queue" -If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the pre-requisite dependencies. +If the Microsoft Defender for Endpoint installation fails due to missing dependencies errors, you can manually download the prerequisite dependencies. ## Log installation issues |
security | Linux Resources | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-resources.md | There are several ways to uninstall Defender for Endpoint on Linux. If you are u - `sudo yum remove mdatp` for RHEL and variants(CentOS and Oracle Linux). - `sudo zypper remove mdatp` for SLES and variants. - `sudo apt-get purge mdatp` for Ubuntu and Debian systems.+- `sudo dnf remove mdatp` for Mariner ## Configure from the command line |
security | Linux Support Ebpf | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-ebpf.md | The eBPF sensor for Microsoft Defender for Endpoint on Linux is supported on the > [!NOTE]-> Oracle Linux 8.8 with kernel version 5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64 will result in kernel hang when eBPF is enabled as supplementary subsystem provider. This kernel version should not be used for eBPF mode. Refer to Troubleshooting and Diagnostics section for mitigation steps. +> Oracle Linux 8.8 with kernel version 5.15.0-0.30.20.el8uek.x86_64, 5.15.0-0.30.20.1.el8uek.x86_64 will result in kernel hang when eBPF is enabled as supplementary subsystem provider. This kernel version should not be used for eBPF mode. Refer to Troubleshooting and Diagnostics section for mitigation steps. ## Use eBPF |
security | Linux Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md | This article is updated frequently to let you know what's new in the latest rele - [What's new in Defender for Endpoint on macOS](mac-whatsnew.md) - [What's new in Defender for Endpoint on iOS](ios-whatsnew.md) +<details> +<summary> Feburary-2024 (Build: 101.23122.0002 | Release version: 30.123122.0002.0)</summary> + + +## Feburary-2024 Build: 101.23122.0002 | Release version: 30.123122.0002.0 + + Released: **February 5,2024**<br/> + Published: **February 5,2024**<br/> + Build: **101.23122.0002**<br/> + Release version: **30.123122.0002.0**<br/> + Engine version: **1.1.23100.2010**<br/> + Signature version: **1.399.1389.0**<br/> + +**What's new** + +There are multiple fixes and new changes in this release: + +- Microsoft Defender for Endpoint on Linux now officially supports Mariner 2, Rocky 8.7 and higher, Alma 9.2 and higher version distros. If you already have MDE running on any of these distros and facing any issues in the older versions, please upgrade to the latest MDE version. Refer our public deployment docs for more details. +- Updated default engine version to `1.1.23100.2010`, and default signatures version to `1.399.1389.0`. +- General stability and performance improvements. +- Bug fixes. + +</details> + <details> <summary> January-2024 (Build: 101.23112.0009 | Release version: 30.123112.0009.0)</summary> This article is updated frequently to let you know what's new in the latest rele  Published: **January 29, 2024**<br/>  Build: **101.23112.0009**<br/>  Release version: **30.123112.0009.0**<br/>- Engine version: **1.1.23110.4**<br/> - Signature version: **1.403.1579.0**<br/> + Engine version: **1.1.23100.2010**<br/> + Signature version: **1.399.1389.0**<br/> **What's new** - Updated default engine version to `1.1.23110.4`, and default signatures version to `1.403.1579.0`. |
security | Mac Schedule Scan | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-schedule-scan.md | search.appverid: met150 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) +> [!IMPORTANT] +> Some information relates to a pre-released product feature in public preview which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ++> [!NOTE] +>The built-in Scheduled Scan is currently in public preview. Review the prerequisites carefully. ++## Schedule a scan *built-in to* Microsoft Defender for Endpoint on macOS + While you can start a threat scan at any time with Microsoft Defender for Endpoint, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. -## Schedule a scan with *launchd* +**Pre-requisites:** ++- Platform Update version: [101.23122.0005](mac-whatsnew.md#jan-2024-build-101231220005release-version-2012312250) or newer +- [Beta Channel (formerly Insiders-Fast), or Current Channel (Preview) (formerly Insiders-Slow)](/microsoft-365/security/defender-endpoint/mac-updates) ++## Schedule a scan with *Microsoft Defender for Endpoint on macOS* ++You can create a scheduled scan for your macOS, which is built in to *Microsoft Defender for Endpoint on macOS*. ++For more information on the _.plist_ file format used here, see [About Information Property List Files](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html) at the official Apple developer website. ++The following sample shows the daily and/or weekly configuration for the scheduled scan on macOS. -You can create a scanning schedule using the *launchd* daemon on a macOS device. +> [!TIP] +> Schedules are based on the local time zone of the device. -For more information on the *.plist* file format used here, see [About Information Property List Files](https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/AboutInformationPropertyListFiles.html) at the official Apple developer website. +| Parameter | The acceptable values for this parameter are: | +| | | +| scheduledScan | enabled or disabled | +| scanType | quick or full | +| ignoreExclusions | true or false | +| lowPriorityScheduledScan | true or false | +| dayOfWeek | The range is between 0 and 8. <br>- 0: Everyday <br>- 1: Sunday <br>- 2: Monday <br>- 3: Tuesday <br>- 4: Wednesday <br>- 5: Thursday <br>- 6: Friday <br>- 7: Saturday <br>- 8: Never | +| timeOfDay | Specifies the time of day, as the number of _minutes after midnight_, to perform a scheduled scan. The time refers to the local time on the computer. If you don't specify a value for this parameter, a scheduled scan runs at a default time of two hours after midnight. | +| interval | 0 (never), every 1 (hour) to 24 (hours, 1 scan per day) | +| randomizeScanStartTime | Only applicable for daily quick scans or weekly quick/full scans. Randomize the start time of the scan by up to specified number of hours. <br> For example, if a scan is scheduled for 2 p.m and randomizeScanStartTime is set to 2, the scan commences at a random time between 2 p.m and 4 p.m. | -### Schedule a quick scan +Your scheduled scan runs at the date, time, and frequency you defined in your _plist_. -The following code shows the schema you need to use to schedule a quick scan. +### Option 1: Schedule a quick scan using a _plist_ ++In the following example, the daily quick scan configuration is set to run at 885 minutes after midnight (2:45 p.m.).<br> +The weekly configuration is set to run a quick scan on Wednesday at 880 minutes after midnight (2:40 p.m.). +And it's set to ignore exclusions and run on a low priority scan. ++The following code shows the schema you need to use to schedule a quick scan. 1. Open a text editor and use this example as a guide for your own scheduled scan file. - ```XML - <?xml version="1.0" encoding="UTF-8"?> - <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" - "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> - <plist version="1.0"> - <dict> - <key>Label</key> - <string>com.microsoft.wdav.schedquickscan</string> - <key>ProgramArguments</key> - <array> - <string>sh</string> - <string>-c</string> - <string>/usr/local/bin/mdatp scan quick</string> - </array> - <key>RunAtLoad</key> - <true/> - <key>StartCalendarInterval</key> - <dict> - <key>Hour</key> - <integer>2</integer> - <key>Minute</key> - <integer>0</integer> - <key>Weekday</key> - <integer>5</integer> - </dict> - <key>WorkingDirectory</key> - <string>/usr/local/bin/</string> - </dict> - </plist> - ``` --2. Save the file as *com.microsoft.wdav.schedquickscan.plist* to the /Library/LaunchDaemons directory. --### Schedule a full scan +``` XML +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>features</key> + <dict> + <key>scheduledScan</key> + <string>enabled</string> + </dict> + <key>scheduledScan</key> + <dict> + <key>ignoreExclusions</key> + <true/> + <key>lowPriorityScheduledScan</key> + <true/> + <key>dailyConfiguration</key> + <dict> + <key>timeOfDay</key> + <integer>885</integer> + <key>interval</key> + <string>0</string> + </dict> + <key>weeklyConfiguration</key> + <dict> + <key>dayOfWeek</key> + <integer>4</integer> + <key>timeOfDay</key> + <integer>880</integer> + <key>scanType</key> + <string>quick</string> + </dict> + </dict> + </dict> +</plist> +``` ++2. Save the file as _com.microsoft.wdav.plist_. ++### Option 2: Schedule a full scan using a _plist_ 1. Open a text editor and use this example for a full scan. - ```XML - <?xml version="1.0" encoding="UTF-8"?> - <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" - "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> - <plist version="1.0"> - <dict> - <key>Label</key> - <string>com.microsoft.wdav.schedfullscan</string> - <key>ProgramArguments</key> - <array> - <string>sh</string> - <string>-c</string> - <string>/usr/local/bin/mdatp scan full</string> - </array> - <key>RunAtLoad</key> - <true/> - <key>StartCalendarInterval</key> - <dict> - <key>Hour</key> - <integer>2</integer> - <key>Minute</key> - <integer>50</integer> - <key>Weekday</key> - <integer>5</integer> - </dict> - <key>WorkingDirectory</key> - <string>/usr/local/bin/</string> - </dict> - </plist> - ``` --2. Save the file as *com.microsoft.wdav.schedfullscan.plist* to the /Library/LaunchDaemons directory. - -### Load your file +```XML +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>features</key> + <dict> + <key>scheduledScan</key> + <string>enabled</string> + </dict> +<key>scheduledScan</key> +<dict> + <key>ignoreExclusions</key> + <true/> + <key>lowPriorityScheduledScan</key> + <true/> + <key>dailyConfiguration</key> + <dict> + <key>timeOfDay</key> + <integer>885</integer> + <key>interval</key> + <string>1</string> + </dict> + <key>weeklyConfiguration</key> + <dict> + <key>dayOfWeek</key> + <integer>4</integer> + <key>timeOfDay</key> + <integer>880</integer> + <key>scanType</key> + <string>full</string> + </dict> + </dict> + </dict> +</plist> +``` ++2. Save the file as _com.microsoft.wdav.plist_. ++### Option 3: Configure scheduled scans through CLI tool ++To enable scheduled scan feature: ++|Version|Command| +||| +| Version 101.23122.\* or higher | `sudo mdatp config scheduled-scan settings feature --value enabled` | -1. Open **Terminal**. -2. Enter the following commands to load your file: +To schedule hourly quick scans: - ```bash - chown root:wheel /Library/LaunchDaemons/com.microsoft.wdav.sched* - chmod 644 /Library/LaunchDaemons/com.microsoft.wdav.sched* - xattr -c /Library/LaunchDaemons/com.microsoft.wdav.sched* - launchctl load -w /Library/LaunchDaemons/<your file name.plist> - ``` +|Version|Command| +||| +| Version 101.23122.\* or higher | `sudo mdatp config scheduled-scan quick-scan hourly-interval --value \<arg\>` | -3. Your scheduled scan will run at the date, time, and frequency you defined in your p-list. In the previous examples, the scan runs at 2:50 AM every Friday. - - The `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday. The range is between 1 and 7 with 7 representing Sunday. - - The `Day` value of `StartCalendarInterval` uses an integer to indicate the third day of the month. The range is between 1 and 31. - - The `Hour` value of `StartCalendarInterval` uses an integer to indicate the second hour of the day. The range is between 0 and 23. - The `Minute` value of `StartCalendarInterval` uses an integer to indicate fifty minutes of the hour. The range is between 0 and 59. - - - > [!IMPORTANT] - > Agents executed with *launchd* will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode. - > - > If the device is turned off, the scan will run at the next scheduled scan time. +To schedule daily quick scans: -## Schedule a scan with Intune +|Version|Command| +||| +| Version 101.23122.\* or higher | `sudo mdatp config scheduled-scan quick-scan time-of-day --value \<arg\>` | -You can also schedule scans with Microsoft Intune. The runMDATPQuickScan.sh shell script available at [Scripts for Microsoft Defender for Endpoint](https://github.com/microsoft/shell-intune-samples/tree/master/macOS/Config/MDATP) will persist when the device resumes from sleep mode. ++To schedule weekly scans: ++|Version|Command| +||| +| Version 101.23122.\* or higher | `sudo mdatp config scheduled-scan weekly-scan --day-of-week \<arg\> --time-of-day \<arg\>--scan-type \<arg\>` | +++For other configuration options: ++- To check for definitions update before scheduled scans: ++ `sudo mdatp config scheduled-scan settings check-for-definitions --value true` ++- To use low priority threads for scheduled scanning: ++ `sudo mdatp config scheduled-scan settings low-priority --value true` ++### Check that the scheduled scan ran +Use the following command: ++`mdatp scan list` +++`\<snip\>` +++ +> [!IMPORTANT] +> Scheduled scans will not run at the scheduled time while the device is asleep. They will instead run once the device resumes from sleep mode. +> If the device is turned off, the scan will run at the next scheduled scan time. -See [Use shell scripts on macOS devices in Intune](/mem/intune/apps/macos-shell-scripts) for more detailed instructions on how to use this script in your enterprise. +> [!TIP] +> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [**Microsoft Defender for Endpoint Tech Community**](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP). |
security | Mac Troubleshoot Mode | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode.md | + + Title: Troubleshooting mode in Microsoft Defender for Endpoint on macOS +description: This article describes how to enable the troubleshooting mode in Microsoft Defender for Endpoint on macOS. +keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, install, mde for mac ++ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +++ms.localizationpriority: medium ++audience: ITPro ++- m365-security +- tier3 +- mde-macos +++search.appverid: met150 Last updated : 02/06/2024+++# Troubleshooting mode in Microsoft Defender for Endpoint on macOS +++**Applies to:** ++- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md) ++> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) ++> [!IMPORTANT] +> Some information relates to a pre-released product feature in public preview which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ++This article describes how to enable the troubleshooting mode in Microsoft Defender for Endpoint on macOS so admins can troubleshoot various Microsoft Defender Antivirus features temporarily, even if organizational policies manage the devices. ++For example, if the tamper protection is enabled, certain settings can't be modified or turned off, but you can use troubleshooting mode on the device to edit those settings temporarily. ++Troubleshooting mode is disabled by default, and requires you to turn it on for a device (and/or group of devices) for a limited time. Troubleshooting mode is exclusively an enterprise-only feature, and requires access to [Microsoft Defender XDR portal](https://security.microsoft.com/). ++## What do you need to know before you begin ++During the troubleshooting mode, you can: ++- Use Microsoft Defender for Endpoint on macOS functional troubleshooting /application compatibility (false positives). +- Local admins, with appropriate permissions, can change the following policy locked configurations on individual endpoints: ++ | Setting | Enable | Disable/Remove | + | -| - | -| + | Real-Time Protection/ Passive mode / On-Demand | `mdatp config real-time-protection --value enabled` | `mdatp config real-time-protection --value disabled` | + | Network Protection | `mdatp config network-protection enforcement-level --value block` | `mdatp config network-protection enforcement-level --value disabled` | + | realTimeProtectionStatistics | `mdatp config real-time-protection-statistics  --value enabled` | `mdatp config real-time-protection-statistics  --value disabled` | + | tags | `mdatp edr tag set --name GROUP --value [name]` | `mdatp edr tag remove --tag-name [name]` | + | groupIds | `mdatp edr group-ids --group-id [group]`| | + | Endpoint DLP | `mdatp config data_loss_prevention --value enabled` | `mdatp config data_loss_prevention --value disabled` | ++During troubleshooting mode, you can't: ++- Disable tamper protection for Microsoft Defender for Endpoint on macOS. +- Uninstall the Microsoft Defender for Endpoint on macOS. ++### Prerequisites ++> [!NOTE] +> Troubleshooting mode on macOS is currently in public preview. Review the prerequisites carefully. ++- Supported version of macOS for Microsoft Defender for Endpoint. +- Microsoft Defender for Endpoint must be tenant-enrolled and active on the device. +- Permissions for "Manage security settings in Security Center" in Microsoft Defender for Endpoint. +- Platform Update version: [101.23122.0005]( +mac-whatsnew.md#jan-2024-build-101231220005release-version-2012312250) +or newer. +- [Beta Channel (formerly Insiders-Fast), or Current Channel (Preview) (formerly Insiders-Slow)](/microsoft-365/security/defender-endpoint/mac-updates) ++## Enable troubleshooting mode on macOS ++1. Go to the [Microsoft Defender XDR portal](https://security.microsoft.com/), and sign in. +2. Navigate to the device page you would like to turn on troubleshooting mode. Then, select the ellipses(...) and select **Turn on troubleshooting mode**. ++ :::image type="content" source="images/troubleshooting-mode-on-mac.png" alt-text="Screenshot displaying the screenshot of the troubleshooting mode on mac."::: ++ > [!NOTE] + > The **Turn on troubleshooting mode** option is available on all devices, even if the device does not meet the prerequisites for troubleshooting mode. ++3. Read the information displayed on the pane and once you're ready, select **Submit** to confirm that you want to turn on troubleshooting mode for that device. +4. You'll see *It might take a few minutes for the change to take effect* text being displayed. During this time, when you select the ellipses again, you'll see the **Turn On Troubleshooting mode is pending** option grayed-out. +5. Once complete, the device page shows that the device is now in troubleshooting mode. ++ If the end-user is logged-in on the macOS device, they'll see the following text: ++ *Troubleshooting mode has started. This mode allows you to temporarily change settings that are managed by your Administrator. Expires at YEAR-MM-DDTHH:MM:SSZ.* ++ Select **OK**. ++6. Once enabled, you can test the different command line options that are togglable in the troubleshooting mode (TS Mode). ++ For example, when you use `mdatp config real-time-protection --value disabled` command to disable real time protection, you'll be prompted to enter your password. Select **OK** after entering your password. ++ :::image type="content" source="images/ts-mode-rtp-disable.png" alt-text="Screenshot displaying the screenshot of real time protection being disabled."::: ++ The output report similar to the following screenshot will be displayed on running mdatp health with `real_time_protection_enabled` as "false" and `tamper_protection` as "block." + + :::image type="content" source="images/ts-mode-mdatp-health.png" alt-text="Screnshot displaying the screenshot of the output report of mdatp health running."::: ++## Advanced hunting queries for detection ++There are some prebuilt advanced hunting queries to give you visibility into the troubleshooting events that are occurring in your environment. You can use these queries to [create detection rules](../defender/custom-detection-rules.md) to generate alerts when devices are in troubleshooting mode. ++### Get troubleshooting events for a particular device ++You can use the following query to search by `deviceId` or `deviceName` by commenting out the respective lines. ++```kusto +//let deviceName = "<deviceName>"; // update with device name +let deviceId = "<deviceID>"; // update with device id +DeviceEvents +| where DeviceId == deviceId +//| where DeviceName == deviceName +| where ActionType == "AntivirusTroubleshootModeEvent" +| extend _tsmodeproperties = parse_json(AdditionalFields) +| project Timestamp,DeviceId, DeviceName, _tsmodeproperties, + _tsmodeproperties.TroubleshootingState, _tsmodeproperties.TroubleshootingPreviousState, _tsmodeproperties.TroubleshootingStartTime, + _tsmodeproperties.TroubleshootingStateExpiry, _tsmodeproperties.TroubleshootingStateRemainingMinutes, + _tsmodeproperties.TroubleshootingStateChangeReason, _tsmodeproperties.TroubleshootingStateChangeSource +``` ++### Devices currently in troubleshooting mode ++You can find the devices that are currently in troubleshooting mode using the following query: ++```kusto +DeviceEvents +| where Timestamp > ago(3h) // troubleshooting mode automatically disables after 4 hours +| where ActionType == "AntivirusTroubleshootModeEvent" +| extend _tsmodeproperties = parse_json(AdditionalFields) +| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started" +|summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId +| order by Timestamp desc +``` ++### Count of troubleshooting mode instances by device ++You can find the number of troubleshooting mode instances for a device using the following query: ++```kusto +DeviceEvents +| where ActionType == "AntivirusTroubleshootModeEvent" +| extend _tsmodeproperties = parse_json(AdditionalFields) +| where Timestamp > ago(30d) // choose the date range you want +| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started" +| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId +| sort by count_ +``` ++### Total count ++You can know the total count of troubleshooting mode instances using the following query: ++```kusto +DeviceEvents +| where ActionType == "AntivirusTroubleshootModeEvent" +| extend _tsmodeproperties = parse_json(AdditionalFields) +| where Timestamp > ago(2d) //beginning of time range +| where Timestamp < ago(1d) //end of time range +| where _tsmodeproperties.TroubleshootingStateChangeReason contains "started" +| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() +| where count_ > 5 // choose your max # of TS mode instances for your time range +``` ++## Recommended content ++- [Microsoft Defender XDR for Endpoint on Mac](microsoft-defender-endpoint-mac.md) +- [Microsoft Defender XDR for Endpoint integration with Microsoft Defender XDR for Cloud Apps](/defender-cloud-apps/mde-integration) +- [Get to know the innovative features in Microsoft Edge](https://www.microsoft.com/en-us/edge/features?form=MW00UY) +- [Protect your network](network-protection.md) +- [Turn on network protection](enable-network-protection.md) +- [Web protection](web-protection-overview.md) +- [Create indicators](manage-indicators.md) +- [Web content filtering](web-content-filtering.md) + |
security | Mac Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md | +- [What's new in Microsoft Defender for Endpoint on Linux](linux-whatsnew.md) +- [What's new in Microsoft Defender for Endpoint on iOS](ios-whatsnew.md) ++**Built-in Scheduled Scan for macOS** (Public Preview) ++Scheduled Scan built-in for Microsoft Defender for Endpoint on macOS is now available in Public Preview. To learn more, see [How to schedule scans with Microsoft Defender for Endpoint on macOS](mac-schedule-scan.md). ++**Troubleshooting mode for macOS** (Public Preview) ++Troubleshooting mode helps you identify instances where antivirus might be causing issues with your applications or system resources. Troubleshooting mode for macOS is now available in Public Preview. To learn more, see [Troubleshooting mode in Microsoft Defender for Endpoint on macOS](mac-troubleshoot-mode.md). **Mac devices receive built-in protection** -Tamper protection is turned on in block mode by default to help secure your Mac against threats. To learn more, see [Protect macOS security settings with tamper protection](built-in-protection.md). +Tamper protection is turned on in block mode by default. This setting helps secure your Mac against threats. To learn more, see [Protect macOS security settings with tamper protection](built-in-protection.md). **Network protection available for macOS** Network protection for macOS is now available for all Mac devices onboarded to D **Known issues** -Apple has fixed an issue on macOS [Ventura upgrade](<https://developer.apple.com/documentation/macos-release-notes/macos-13_1-release-notes>), which is fixed with the latest OS update. The issue impacts Microsoft Defender for Endpoint security extensions, and might result in losing Full Disk Access Authorization, impacting its ability to function properly. +Apple fixed an issue on macOS [Ventura upgrade](<https://developer.apple.com/documentation/macos-release-notes/macos-13_1-release-notes>), which is fixed with the latest OS update. The issue impacts Microsoft Defender for Endpoint security extensions, and might result in losing Full Disk Access Authorization, impacting its ability to function properly. **Sonoma support** Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. > [!NOTE] > If you use Device Control v1, consider migrating to v2 (that includes all v1 functionality and more). > Device Control v1 will be considered deprecated in the nearest future.-> To check, run the [mdatp health --details device_control](mac-device-control-overview.md#status) command, and inspect the `active` property, it should not contain "v1". +> To check, run the `[mdatp health --details device_control](mac-device-control-overview.md#status)` command, and inspect the `active` property, it should not contain "v1". ### Oct-2023 (Build: 101.23082.0018 | Release version: 20.123082.18.0) Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. ##### What's new - [[device control](mac-device-control-overview.md)] Detailed status with `mdatp health --details device_control`-- [[device control](mac-device-control-overview.md)] `mdatp config device-control policy` to [set policy](mac-device-control-manual.md) on a non-managed machine+- [[device control](mac-device-control-overview.md)] `mdatp config device-control policy` to [set policy](mac-device-control-manual.md) on a nonmanaged machine - Bug and performance fixes ### Sep-2023 (Build: 101.23072.0025 | Release version: 20.123072.25.0) Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. ##### What's new - Bug and performance fixes-- Fix: Security Portal events may have missed ancestors details for short lived processes+- Fix: Security Portal events might have missed ancestors details for short lived processes - Fix: Major performance issues on macOS when Network Protection is set to Audit mode ### Aug-2023 (Build: 101.23062.0016 | Release version: 20.123062.16.0) Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. ##### What's new - Client version schema change-- Fix: Defender does not start on a machine with certain versions of Edge due to directory permission issue+- Fix: Defender doesn't start on a machine with certain versions of Microsoft Edge due to directory permission issue - Bug and performance fixes ### Jun-2023 (Build: 101.98.84 | Release version: 20.123042.19884.0) Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. **What's new** -- Bug fix: Upgrade fails if \_mdatp user a member of \_lpadmin group+- Bug fix: Upgrade fails if `\_mdatp` user a member of `\_lpadmin` group <br/> </details> Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. - Bug fix - Mac TP in Block mode causing device hang on shutdown/crashes on reboot - Add a mdatp command-line switch to view the on-demand scan history-- Improve Performance of Device Owner on MacOs+- Improve Performance of Device Owner on macOS - Ready for macOS Ventura (13.0) - Bug and performance fixes Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. **What's new** -- Addressed an issue where printing could not be completed successfully due to the network extension+- Addressed an issue where printing couldn't be completed successfully due to the network extension - Added an option to [configure file hash computation](mac-preferences.md#configure-file-hash-computation-feature)-- From this build onwards, the product will have the new anti-malware engine by default+- From this build onwards, the product has the new anti-malware engine by default - Performance improvements for file copy operations - Bug fixes Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. **What's new** -- `mdatp connectivity test` was extended with an extra URL that the product requires to function correctly. The new URL is [https://go.microsoft.com/fwlink/?linkid=2144709](https://go.microsoft.com/fwlink/?linkid=2144709).-- Up until now, the product log level wasn't persisted between product restarts. Starting from this version, there's a new command-line tool switch that persists the log level. The new command is `mdatp log level persist --level <level>`.+- `mdatp connectivity test` added an extra URL. The new URL is [https://go.microsoft.com/fwlink/?linkid=2144709](https://go.microsoft.com/fwlink/?linkid=2144709). +- Up until now, the product log level didn't persist between product restarts. Beginning in this version, there's a new command-line tool switch that persists the log level. The new command is `mdatp log level persist --level <level>`. - Fixed a bug in the product installation package that in rare cases could lead a loss of product state during updates - Performance improvements for file copy operations and built-in macOS applications - Bug fixes Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. **What's new** -- Fixed a bug where threat-related notifications were not always presented to the end user.-- Performance improvements & other bug fixes+- Fixed a bug where threat-related notifications weren't always presented to the end user. +- Performance improvements & other updates. <br/> </details> Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. **What's new** -- Addressed an issue where `mdatp diagnostic real-time-protection-statistics` was not printing the correct process path in some cases.+- Addressed an issue where `mdatp diagnostic real-time-protection-statistics` wasn't printing the correct process path in some cases. - Bug fixes <br/> Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. **What's new** -- This version adds support for macOS 12.3. Starting with macOS 12.3, [Apple is removing Python 2.7](https://developer.apple.com/documentation/macos-release-notes/macos-12_3-release-notes). There will be no Python version preinstalled on macOS by default. **ACTION NEEDED**:- - Users must update Microsoft Defender for Endpoint for Mac to version 101.59.50 (or newer) prior to updating their devices to macOS Monterey 12.3 (or newer). This minimal version 101.59.50 is a prerequisite to eliminating Python-related issues with Microsoft Defender for Endpoint for Mac on macOS Monterey. - - For remote deployments, existing MDM setups must be updated to Microsoft Defender for Endpoint for Mac version 101.59.50 (or newer). Pushing via MDM an older Microsoft Defender for Endpoint for Mac version to macOS Monterey 12.3 (or newer) will result in an installation failure. +- This version adds support for macOS 12.3. Starting with macOS 12.3, [Apple is removing Python 2.7](https://developer.apple.com/documentation/macos-release-notes/macos-12_3-release-notes). There's no Python version preinstalled on macOS by default. **ACTION NEEDED**: + - Users must update Microsoft Defender for Endpoint for Mac to version 101.59.50 (or newer) before updating their devices to macOS Monterey 12.3 (or newer). This minimal version 101.59.50 is a prerequisite to eliminating Python-related issues with Microsoft Defender for Endpoint for Mac on macOS Monterey. + - For remote deployments, existing MDM setups must be updated to Microsoft Defender for Endpoint for Mac version 101.59.50 (or newer). Pushing via MDM an older Microsoft Defender for Endpoint for Mac version to macOS Monterey 12.3 (or newer) results in an installation failure. \*\*\n <br/> </details> Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. - The command-line tool now supports restoring quarantined files to a location other than the one where the file was originally detected. This can be done through `mdatp threat quarantine restore --id [threat-id] --path [destination-folder]`. - Extended device control to handle devices connected over Thunderbolt 3-- Improved the handling of device control policies containing invalid vendor IDs and product IDs. Prior to this version, if the policy contained one or more invalid IDs, the entire policy was ignored. Starting from this version, only the invalid portions of the policy are ignored. Issues with the policy are surfaced through `mdatp device-control removable-media policy list`.+- Improved the handling of device control policies containing invalid vendor IDs and product IDs. Before this version, if the policy contained one or more invalid IDs, the entire policy was ignored. Starting from this version, only the invalid portions of the policy are ignored. Issues with the policy are surfaced through `mdatp device-control removable-media policy list`. - Bug fixes <br/> Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. **What's new** -- The application has been renamed from "Microsoft Defender ATP" to "Microsoft Defender". End users will observe the following changes:+- The application is renamed from "Microsoft Defender ATP" to "Microsoft Defender". End users observe the following changes: - The application installation path has been changed from `/Application/Microsoft Defender ATP.app` to `/Applications/Microsoft Defender.app`. - Within the user experience, occurrences of "Microsoft Defender ATP" have been replaced with "Microsoft Defender"-- Resolved an issue where some VPN applications could not connect due to the network content filter that is distributed with Microsoft Defender for Endpoint for Mac-- Addressed an issue discovered in macOS 12.2 beta 2 where the installation package could not be opened due to a change in the operating system (OS) that prevents installation of packages with certain characteristics. While it appears that this OS change is not included in the final release of macOS 12.2, it is likely that it will be reintroduced in a future macOS version. As such, we encourage all enterprise administrators to refresh the Microsoft Defender for Endpoint package in their management console to this product version (or a newer version).-- Addressed an issue seen on some M1 devices where the product was stuck with invalid antimalware definitions and could not successfully update to a working set of definitions.-- `mdatp health` output has been extended with an additional attribute called `full_disk_access_enabled` that can be used to determine whether Full Disk Access has been granted to all components of Microsoft Defender for Endpoint for Mac.+- Resolved an issue where some VPN applications couldn't connect due to the network content filter that is distributed with Microsoft Defender for Endpoint for Mac +- Addressed an issue discovered in macOS 12.2 preview 2 where the installation package couldn't be opened due to a change in the operating system (OS) that prevents installation of packages with certain characteristics. While it appears that this OS change isn't included in the final release of macOS 12.2, it's likely that it will be reintroduced in a future macOS version. As such, we encourage all enterprise administrators to refresh the Microsoft Defender for Endpoint package in their management console to this product version (or a newer version). +- Addressed an issue seen on some M1 devices where the product was stuck with invalid anti-malware definitions and couldn't successfully update to a working set of definitions. +- `mdatp health` output has been extended with a more attribute called `full_disk_access_enabled` that can be used to determine whether Full Disk Access has been granted to all components of Microsoft Defender for Endpoint for Mac. - Performance improvements & bug fixes <br/> Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. **What's new** - [Device control for macOS](mac-device-control-overview.md) is now in general availability.-- Addressed an issue where a quick scan could not be started from the status menu on macOS 11 (Big Sur).+- Addressed an issue where a quick scan couldn't be started from the status menu on macOS 11 (Big Sur). - Other bug fixes <br/> Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. **What's new** - Starting with this version, threats detected during on-demand antivirus scans triggered through the command-line client are automatically remediated. Threats detected during scans triggered through the user interface still require manual action.-- `mdatp diagnostic real-time-protection-statistics` now supports two additional switches:+- `mdatp diagnostic real-time-protection-statistics` now supports two other switches: - `--sort`: sorts the output descending by total number of files scanned - `--top N`: displays the top N results (only works if `--sort` is also specified) - Performance improvements (specifically for when `YARN` is used) & bug fixes Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. **What's new** -- This product version has been validated on macOS Big Sur 11 beta 9.+- This product version has been validated on macOS Big Sur 11 preview 9. - The new syntax for the mdatp command-line tool is now the default one. For more information on the new syntax, see [Resources for Microsoft Defender for Endpoint on macOS](mac-resources.md#configuring-from-the-command-line). > [!NOTE] > The old command-line tool syntax will be removed from the product on **January 1st, 2021**. Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. - Added new fields to the output of `mdatp --health` for checking the status of passive mode and the EDR group ID. > [!NOTE] > `mdatp --health` will be replaced with `mdatp health` in a future product update.-- Fixed a bug where automatic sample submission was not marked as managed in the user interface.+- Fixed a bug where automatic sample submission wasn't marked as managed in the user interface. - Added new settings for controlling the retention of items in the antivirus scan history. You can now [specify the number of days to retain items in the scan history](mac-preferences.md#antivirus-scan-history-retention-in-days) and [specify the maximum number of items in the scan history](mac-preferences.md#maximum-number-of-items-in-the-antivirus-scan-history). - Bug fixes Microsoft Defender supports macOS Sonoma (14.0) in the current Defender release. **What's new** - Added more controls for IT administrators around [management of exclusions](mac-preferences.md#exclusion-merge-policy), [management of threat type settings](mac-preferences.md#threat-type-settings-merge-policy), and [disallowed threat actions](mac-preferences.md#disallowed-threat-actions).-- When Full Disk Access is not enabled on the device, a warning is now displayed in the status menu.+- When Full Disk Access isn't enabled on the device, a warning is now displayed in the status menu. - Performance improvements & bug fixes <br/> |
security | Microsoft Defender Endpoint Linux | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md | This topic describes how to install, configure, update, and use Microsoft Defend ## How to install Microsoft Defender for Endpoint on Linux -Microsoft Defender for Endpoint for Linux includes antimalware and endpoint detection and response (EDR) capabilities. +Microsoft Defender for Endpoint for Linux includes anti-malware and endpoint detection and response (EDR) capabilities. ### Prerequisites In general you need to take the following steps: - Amazon Linux 2 - Amazon Linux 2023 - Fedora 33 or higher+ - Rocky 8.7 and higher + - Alma 9.2 and higher + - Mariner 2 > [!NOTE] > Distributions and version that are not explicitly listed are unsupported (even if they are derived from the officially supported distributions). |
security | Respond Machine Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md | For more information on live response, see [Investigate entities on devices usin As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker. -> [!IMPORTANT] -> These actions are not currently supported for devices running macOS or Linux. Use live response to run the action. For more information on live response, see [Investigate entities on devices using live response](live-response.md) - To download the package (Zip file) and investigate the events that occurred on a device: 1. Select **Collect investigation package** from the row of response actions at the top of the device page. |
security | Supported Capabilities By Platform | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/supported-capabilities-by-platform.md | The following table gives information about the supported Microsoft Defender for |[Device response capabilities: collect investigation package ](respond-machine-alerts.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) <sup>[3]</sup> | ![Yes.](images/svg/check-yes.svg) <sup>[3]</sup> | |[Device response capabilities: run AV scan](respond-machine-alerts.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | |[Device isolation](respond-machine-alerts.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) |-|File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) <sup>[4]</sup> | ![No](images/svg/check-no.svg) <sup>[4]</sup> | +|File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) | |[Live Response](live-response.md) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | <sup>[1]</sup> Refers to the modern, unified solution for Windows Server 2012 R2 and 2016. For more information, see [Onboard Windows Servers to the Defender for Endpoint service](configure-server-endpoints.md). |
security | Fixed Reported Inaccuracies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies.md | This article provides information on inaccuracies that have been reported. You c The following tables present the relevant vulnerability information organized by month: +## February 2024 ++Inaccuracy report ID |Description |Fix date | +|:|:|:| +| - | Fixed inaccuracy in Snow Inventory Agent | 06-Feb-24 +| 42360 | Fixed inaccuracy in GitHub vulnerabilities - CVE-2020-10519 & CVE-2021-22863 | 12-Feb-24 ++ ## January 2024 Inaccuracy report ID |Description |Fix date | Inaccuracy report ID |Description |Fix date | | 38717 | Defender Vulnerability Management doesn't currently support CVE-2023-36397 | 17-Jan-24 | 43673 | Defender Vulnerability Management doesn't currently support Lenovo ThinkPad T14 Gen 2 Firmware | 17-Jan-24 | 43513 | Fixed inaccuracies in OpenSSL invalid file detections | 17-Jan-24+| 41204 | Fixed inaccuracy in Affinity photo | 21-Jan-24 +| 40584 | Fixed inaccuracy in Veeam One Client | 21-Jan-24 +| 40704 | Fixed inaccuracy in Windows Subsystem for Linux(WSL) | 21-Jan-24 +| 43600 | Fixed inaccuracy in Dell RVTools | 21-Jan-24 +| 43378 | Fixed inaccuracy in Decisive Tactics Serial | 21-Jan-24 +| 43466 | Fixed inaccuracy in Intel- Dynamic Tuning Technology (DTT) | 21-Jan-24 +| 35750 | Fixed inaccuracy in Bitdefender Internet Security | 21-Jan-24 +| 44190 | Fixed inaccuracy in CVE-2023-48670 | 29-Jan-24 +| 43565 | Fixed inaccuracy in WinSCP Vulnerability - CVE-2023-48795 | 30-Jan-24 +| - | Fixed detection issues in Ignite Realtime Openfire | 30-Jan-24 +| - | Fixed inaccuracy in GitLab | 30-Jan-24 +| - | Added Microsoft Defender Vulnerability Management support to SAP Business Client | 30-Jan-24 +| - | Added Microsoft Defender Vulnerability Management support to SAP GUI | 30-Jan-24 +| - | Added Microsoft Defender Vulnerability Management support to PostgreSQL | 30-Jan-24 +| - | Added Microsoft Defender Vulnerability Management support to Adobe Digital Editions | 30-Jan-24 ## December 2023 |
security | Advanced Hunting Security Copilot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-security-copilot.md | Threat hunters or security analysts who are not yet familiar with or have yet to This feature reduces the time it takes to write a hunting query from scratch so that threat hunters and security analysts can focus on hunting and investigating threats. -Users with access to Security Copilot have access to this capability in advanced hunting. +Users with access to Security Copilot have access to this capability in advanced hunting. ++> [!NOTE] +> The advanced hunting capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Microsoft Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). ## Try your first request 1. Open the **advanced hunting** page from the navigation bar in Microsoft Defender XDR. The Security Copilot side pane for advanced hunting appears at the right hand side. |
security | Microsoft 365 Security Center Mdo | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md | View reports, change your settings, and modify user roles. ![The quick launch menu for Microsoft Defender XDR permissions and reporting, on the left navigation pane in the Microsoft Defender portal.](../../media/m365d-settings-nav.png) > [!NOTE]-> DomainKeys Identified Mail (DKIM) ensures that destination email systems trust messages sent outbound from your custom domain. -> For Defender for Office 365 users, you can now *manage and rotate* DKIM keys through Microsoft Defender XDR: <https://security.microsoft.com/threatpolicy>, or navigate to **Policy & rules** \> **Threat policies** \> \> **Rules** section \> **DKIM**. +> For Defender for Office 365 users, you can now *manage and rotate* DKIM keys in Microsoft Defender XDR at <https://security.microsoft.com/authentication?viewid=DKIM>. > > For more information, see [Use DKIM to validate outbound email sent from your custom domain](/microsoft-365/security/office-365-security/email-authentication-dkim-configure). |
security | Security Copilot M365d Create Incident Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-create-incident-report.md | While an [incident summary](security-copilot-m365d-incident-summary.md) provides This guide lists the data in incident reports and contains steps on how to access the incident report creation capability within the portal. It also includes information on how to provide feedback about the generated report. +> [!NOTE] +> The incident report generation capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Microsoft Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). + ## Technical requirements [Learn how you can get started with Security Copilot](/security-copilot/get-started-security-copilot). |
security | Security Copilot M365d Guided Response | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-guided-response.md | Title: Use guided responses with Security Copilot in Microsoft Defender XDR description: Use guided responses with Security Copilot in Microsoft Defender XDR to respond to incidents. -keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, incident response playbooks, remediate incident, remediation actions, incident solution, resolve incidents +keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, incident response playbooks, remediate incident, remediation actions, incident solution, resolve incidents, guided responses, security copilot guided response, copilot in security guided response, security copilot guided response in Microsoft Defender XDR ms.mktglfcycl: deploy ms.sitesec: library Responding to incidents in Microsoft Defender XDR often requires familiarity wit This guide outlines how to access the guided response capability of Security Copilot in Microsoft Defender XDR, including information on providing feedback about the responses. +> [!NOTE] +> The guided response capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Microsoft Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). + ## Technical requirements [Learn how you can get started with Security Copilot](/security-copilot/get-started-security-copilot). |
security | Security Copilot M365d Incident Summary | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-incident-summary.md | Incident responders can easily gain the right context to investigate and remedia This guide outlines what to expect and how to access the summarizing capability of Security Copilot within Microsoft Defender XDR, including information on providing feedback. +> [!NOTE] +> The incident summary capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Microsoft Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). + ## Technical requirements [Learn how you can get started with Security Copilot](/security-copilot/get-started-security-copilot). |
security | Security Copilot M365d Script Analysis | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/security-copilot-m365d-script-analysis.md | Title: Analyze scripts and codes with Security Copilot in Microsoft Defender XDR + Title: Run script and code analysis with Security Copilot in Microsoft Defender XDR description: Use Security Copilot script analysis embedded in Microsoft Defender XDR to investigate scripts and codes.-keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, powershell, powershell analysis, bash, batch, bash analysis, batch analysis, code analysis, code analyzer +keywords: security copilot, Microsoft Defender XDR, embedded experience, incident summary, script analyzer, script analysis, query assistant, m365, incident report, guided response, incident response playbooks, incident response, powershell, powershell analysis, bash, batch, bash analysis, batch analysis, code analysis, code analyzer, security copilot script analysis, copilot in security script analysis, security copilot script analysis in Microsoft Defender XDR ms.mktglfcycl: deploy ms.sitesec: library-# Analyze scripts and codes with Microsoft Security Copilot in Microsoft Defender XDR +# Run script and code analysis with Microsoft Security Copilot in Microsoft Defender XDR [!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] The script analysis capability of Security Copilot in Microsoft Defender XDR pro This guide describes what the script analysis capability is and how it works, including how you can provide feedback on the results generated. +> [!NOTE] +> The script analysis capability is also available in the Security Copilot standalone experience through the Microsoft Defender XDR plugin. Know more about [preinstalled plugins in Microsoft Security Copilot](/security-copilot/manage-plugins#preinstalled-plugins). + ## Technical requirements [Learn how you can get started with Security Copilot](/security-copilot/get-started-security-copilot). |
security | Alert Policies Defender Portal | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/alert-policies-defender-portal.md | In Microsoft 365 organizations with mailboxes in Exchange Online, alert policies - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): - _Create and manage alert policies in the Threat management category_: Membership in the **Organization Management** or **Security Administrator** role groups. - _View alerts in the Threat management_ category: Membership in the **Security Reader** role group.- - [Azure AD permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. + - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. For information about other alert policy categories, see [Permissions required to view alerts](/purview/alert-policies#rbac-permissions-required-to-view-alerts). |
security | Anti Phishing Policies About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-policies-about.md | description: Admins can learn about the anti-phishing policies that are availabl search.appverid: met150 Previously updated : 10/9/2023 Last updated : 12/21/2023 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> The following spoof settings are available in anti-phishing policies in EOP and > > - Anti-spoofing protection is enabled in the Standard and Strict preset security policies, and is enabled by default in the default anti-phishing policy and in new custom anti-phishing policies that you create. > - You don't need to disable anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).- > - Disabling anti-spoofing protection only disables _implicit_ spoofing protection from [composite authentication](email-authentication-about.md#composite-authentication) checks. For information about how _explicit_ [DMARC](email-authentication-dmarc-configure.md) checks are affected by anti-spoofing protection and the configuration of the DMARC policy (`p=quarantine` or `p=reject` in the DMARC record), see the [Spoof protection and sender DMARC policies](#spoof-protection-and-sender-dmarc-policies) section. + > - Disabling anti-spoofing protection only disables _implicit_ spoofing protection from [composite authentication](email-authentication-about.md#composite-authentication) checks. For information about how _explicit_ [DMARC](email-authentication-dmarc-configure.md) checks are affected by anti-spoofing protection and the configuration of the source domain's DMARC policy (`p=quarantine` or `p=reject` in the DMARC TXT record), see the [Spoof protection and sender DMARC policies](#spoof-protection-and-sender-dmarc-policies) section. - **Unauthenticated sender indicators**: Available in the **Safety tips & indicators** section only when spoof intelligence is turned on. See the details in the next section. - **Actions**: For messages from blocked spoofed senders (automatically blocked by spoof intelligence or manually blocked in the Tenant Allow/Block list), you can also specify the action to take on the messages: The relationship between spoof intelligence and whether sender DMARC policies ar |**Spoof intelligence Off**|Implicit email authentication checks aren't used. <br/><br/> Explicit email authentication failures: <ul><li>DMARC policy `p=quarantine`: Use the **If the message is detected as spoof and DMARC policy is set as p=quarantine** action in the anti-phishing policy.</li><li>DMARC policy `p=reject`: Use the **If the message is detected as spoof and DMARC policy is set as p=reject** action in the anti-phishing policy.</li><li>DMARC policy `p=none`: The message isn't identified as spoofing by Microsoft 365, but other protection features in the filtering stack are still able to act on the message.</li></ul>|Implicit email authentication checks aren't used. <br/><br/> Explicit email authentication failures: <ul><li>DMARC policy `p=quarantine`: Messages are quarantined.</li><li>DMARC policy `p=reject`: Messages are quarantined.</li><li>DMARC policy `p=none`: The message isn't identified as spoofing by Microsoft 365, but other protection features in the filtering stack are still able to act on the message.| > [!NOTE]-> If the MX record for the domain points to a third-party service or device that sits in front of Microsoft 365, the **Honor DMARC policy** setting is applied only if [Enhanced Filtering for Connectors](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) is enabled for the connector that receives inbound messages. +> If the MX record for the Microsoft 365 domain points to a third-party service or device that sits in front of Microsoft 365, the **Honor DMARC policy** setting is applied only if [Enhanced Filtering for Connectors](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) is enabled for the connector that receives inbound messages. >-> Customers can override the **Honor DMARC policy** setting for specific email messages and/or senders using tenant and user overrides. +> Customers can override the **Honor DMARC policy** setting for specific email messages and/or senders using the following methods: +> +> - [Admins](configure-junk-email-settings-on-exo-mailboxes.md#use-exchange-online-powershell-to-configure-the-safelist-collection-on-a-mailbox) or [users](https://support.microsoft.com/office/48c9f6f7-2309-4f95-9a4d-de987e880e46) can add the senders to the Safe Senders list in the user's mailbox. +> - Admins can use the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md#override-the-spoof-intelligence-verdict) or the [Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-spoofed-senders) to allow messages from the spoofed sender. +> - Admins create an Exchange mail flow rule (also known as a transport rule) for all users that allows messages for those particular senders. +> - Admins create an Exchange mail flow rule for all users for rejected email that fails the organization's DMARC policy. ### Unauthenticated sender indicators Unauthenticated sender indicators are part of the [Spoof settings](#spoof-settin To prevent the question mark or "via" tag from being added to messages from specific senders, you have the following options: - Allow the spoofed sender in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) or manually in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). Allowing the spoofed sender prevents the "via" tag from appearing in messages from the sender, even if the **Show "via" tag** setting is turned on in the policy.-- [Configure email authentication](email-authentication-about.md#configure-email-authentication-for-domains-you-own) for the sender domain.+- [Configure email authentication](email-authentication-about.md) for the sender domain. - For the question mark in the sender's photo, SPF or DKIM are the most important. - For the "via" tag, confirm the domain in the DKIM signature or the **MAIL FROM** address matches (or is a subdomain of) the domain in the From address. |
security | Anti Phishing Protection Spoofing About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-about.md | If all else fails, you can report the message as a false positive to Microsoft. ## Considerations for anti-spoofing protection -If you're an admin who currently sends messages to Microsoft 365, you need to ensure that your email is properly authenticated. Otherwise, it might be marked as spam or phishing. For more information, see [Solutions for legitimate senders who are sending unauthenticated email](email-authentication-about.md#solutions-for-legitimate-senders-who-are-sending-unauthenticated-email). +If you're an admin who currently sends messages to Microsoft 365, you need to ensure that your email is properly authenticated. Otherwise, it might be marked as spam or phishing. For more information, see [How to avoid email authentication failures when sending mail to Microsoft 36](email-authentication-about.md#how-to-avoid-email-authentication-failures-when-sending-mail-to-microsoft-36). Senders in individual user (or admin) Safe Senders lists bypass parts of the filtering stack, including spoof protection. For more information, see [Outlook Safe Senders](create-safe-sender-lists-in-office-365.md#use-outlook-safe-senders). |
security | Anti Spoofing Spoof Intelligence | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence.md | On the **Spoof intelligence insight** page, you can sort the entries by clicking - **Internal**: The spoofed sender is in a domain that belongs to your organization (an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)). - **External**: The spoofed sender is in an external domain. - **Action**: This value is **Allowed** or **Blocked**:- - **Allowed**: The domain failed explicit email authentication checks [SPF](email-authentication-anti-spoofing.md), [DKIM](email-authentication-dkim-configure.md), and [DMARC](email-authentication-dmarc-configure.md). However, the domain passed our implicit email authentication checks ([composite authentication](email-authentication-about.md#composite-authentication)). As a result, no anti-spoofing action was taken on the message. + - **Allowed**: The domain failed explicit email authentication checks [SPF](email-authentication-spf-configure.md), [DKIM](email-authentication-dkim-configure.md), and [DMARC](email-authentication-dmarc-configure.md). However, the domain passed our implicit email authentication checks ([composite authentication](email-authentication-about.md#composite-authentication)). As a result, no anti-spoofing action was taken on the message. - **Blocked**: Messages from the combination of the spoofed domain _and_ sending infrastructure are marked as bad by spoof intelligence. The action that's taken on the spoofed messages is controlled by the default anti-phishing policy or custom anti-phishing policies (the default value is **Move message to Junk Email folder**). For more information, see [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md). To change the list of spoofed senders from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**. Be diligent about spoofing and phishing protection. Here are related ways to che - Check the **Spoof Mail Report**. Use this report often to view and help manage spoofed senders. For information, see [Spoof Detections report](reports-email-security.md#spoof-detections-report). -- Review your Sender Policy Framework (SPF) configuration. For a quick introduction to SPF and to get it configured quickly, see [Set up SPF in Microsoft 365 to help prevent spoofing](email-authentication-spf-configure.md). For a more in-depth understanding of how Microsoft 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with [How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](email-authentication-anti-spoofing.md).--- Review your DomainKeys Identified Mail (DKIM) configuration. You should use DKIM in addition to SPF and DMARC to help prevent attackers from sending messages that look like they are coming from your domain. DKIM lets you add a digital signature to email messages in the message header. For information, see [Use DKIM to validate outbound email sent from your custom domain in Office 365](email-authentication-dkim-configure.md).--- Review your Domain-based Message Authentication, Reporting, and Conformance (DMARC) configuration. Implementing DMARC with SPF and DKIM provides additional protection against spoofing and phishing email. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks. For information, see [Use DMARC to validate email in Office 365](email-authentication-dmarc-configure.md).+- Review your SPF, DKIM, and DMARC configuration. For more information, see the following articles: + - [Email authentication in Microsoft 365](email-authentication-about.md) + - [Set up SPF to help prevent spoofing](email-authentication-spf-configure.md) + - [Use DKIM to validate outbound email sent from your custom domain](email-authentication-dkim-configure.md) + - [Use DMARC to validate email](email-authentication-dmarc-configure.md) + - [Configure trusted ARC sealers](email-authentication-arc-configure.md) |
security | Audit Log Search Defender Portal | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/audit-log-search-defender-portal.md | In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E - You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations \ Security data \ Security data basics (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** or **Compliance Management** role groups.- - [Azure AD permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Compliance Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. + - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Compliance Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. ## Open audit log search |
security | Campaigns | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/campaigns.md | The tabs in the campaign details flyout allow you to further investigate the cam - **Total count** - **Inboxed** - **Not Inboxed**- - **SPF passed**: The sender was authenticated by the [Sender Policy Framework (SPF)](email-authentication-anti-spoofing.md). A sender that doesn't pass SPF validation indicates an unauthenticated sender, or the message is spoofing a legitimate sender. + - **SPF passed**: The sender was authenticated by the [Sender Policy Framework (SPF)](email-authentication-spf-configure.md). A sender that doesn't pass SPF validation indicates an unauthenticated sender, or the message is spoofing a legitimate sender. - **Senders** - **Sender**: This is the actual sender address in the SMTP **MAIL FROM** command, which isn't necessarily the **From:** email address that users see in their email clients. - **Total count** - **Inboxed** - **Not Inboxed**- - **DKIM passed**: The sender was authenticated by [Domain Keys Identified Mail (DKIM)](email-authentication-dkim-support-about.md). A sender that doesn't pass DKIM validation indicates an unauthenticated sender, or the message is spoofing a legitimate sender. + - **DKIM passed**: The sender was authenticated by [Domain Keys Identified Mail (DKIM)](email-authentication-dkim-configure.md). A sender that doesn't pass DKIM validation indicates an unauthenticated sender, or the message is spoofing a legitimate sender. - **DMARC passed**: The sender was authenticated by [Domain-based Message Authentication, Reporting, and Conformance (DMARC)](email-authentication-dmarc-configure.md). A sender that doesn't pass DMARC validation indicates an unauthenticated sender, or the message is spoofing a legitimate sender. - **Attachments** |
security | Email Authentication About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-about.md | f1.keywords: - NOCSH -+ audience: ITPro search.appverid:-description: Admins can learn how EOP uses email authentication (SPF, DKIM, and DMARC) to help prevent spoofing, phishing, and spam. +description: Admins can learn how email authentication (SPF, DKIM, DMARC) works and how Microsoft 365 uses traditional email authentication and composite email authentication to identify messages as spoofing, or pass messages that would otherwise be identified as spoofing. Previously updated : 6/20/2023 Last updated : 1/29/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> -# Email authentication in EOP +# Email authentication in Microsoft 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -Email authentication (also known as _email validation_) is a group of standards that tries to stop email messages from forged senders (also known as _spoofing_). Microsoft 365 uses the following standards to verify inbound email: +As a Microsoft 365 organization with mailboxes in Exchange Online, or a standalone Exchange Online Protection (EOP) organization without Exchange Online mailboxes, protecting the integrity of email messages from senders in your domains is important. Recipients should feel confident that messages from senders in your domain really came from senders in your domain. -- [SPF](email-authentication-spf-configure.md)-- [DKIM](email-authentication-dkim-configure.md)-- [DMARC](email-authentication-dmarc-configure.md)+Email authentication (also known as _email validation_) is a group of standards to identify and prevent the delivery of email messages from forged senders (also known as _spoofing_). Spoofed senders are commonly used in business email compromise (BEC), phishing, and other email attacks. These standards include: -Email authentication verifies that email messages from a sender (for example, laura@contoso.com) are legitimate and come from expected sources for that email domain (for example, contoso.com). +- **Sender Policy Framework (SPF)**: Specifies the source email servers that are authorized to send mail for the domain. +- **DomainKeys Identified Mail (DKIM)**: Uses a domain to digitally sign important elements of the message to ensure the message hasn't been altered in transit. +- **Domain-based Message Authentication, Reporting and Conformance (DMARC)**: Specifies the action for messages that fail SPF or DKIM checks for senders in the domain, and specifies where to send the DMARC results (reporting). +- **Authenticated Received Chain (ARC)**: Preserves original email authentication information by known services that modify messages in transit. The destination email server can use this information to authenticate messages that would otherwise fail DMARC. -The rest of this article explains how these technologies work, and how EOP uses them to check inbound email. For information about configuring SPF, DKIM, and DMARC records in DNS, see the previous links. +It's important to realize that these standards are _interdependent building blocks_ that _work together_ to provide the best possible email protection against spoofing and phishing attacks. _Anything less than all of the email authentication methods results in substandard protection_. -## Use email authentication to help prevent spoofing +To configure email authentication for mail **sent from** Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, see the following articles: -DMARC prevents spoofing by examining the **From** address in messages. The **From** address is the sender's email address that users see in their email client. Destination email organizations can also verify that the email domain has passed SPF or DKIM. In other words, the source domain is a valid source for senders in the **From** address, so the sender's email address isn't spoofed. +- [Set up SPF to help prevent spoofing](email-authentication-spf-configure.md) +- [Use DKIM to validate outbound email sent from your custom domain](email-authentication-dkim-configure.md) +- [Use DMARC to validate email](email-authentication-dmarc-configure.md) -However, DNS records for SPF, DKIM, and DMARC (collectively known as _email authentication policies_) are optional. Domains with strong email authentication policies are protected from spoofing. But domains with weaker email authentication policies or no policy at all are prime targets for being spoofed. +To prevent email authentication failures due to services that modify **inbound** mail sent to your Microsoft 365 organization, see [Configure trusted ARC sealers](email-authentication-arc-configure.md). -Lack of strong email authentication policies is a large problem. While organizations might not understand how email authentication works, attackers fully understand and they take advantage. Because of phishing concerns and the limited adoption of strong email authentication policies, Microsoft uses _implicit email authentication_ to check inbound email. +The rest of this article explains: -Implicit email authentication is an extension of regular email authentication policies. These extensions include: sender reputation, sender history, recipient history, behavioral analysis, and other advanced techniques. In the absence of other signals from these extensions, messages sent from domains that don't use email authentication policies are marked as spoofing. +- [Why internet email needs authentication](#why-internet-email-needs-authentication) +- [How SPF, DKIM, and DMARC work together to authenticate email message senders](#how-spf-dkim-and-dmarc-work-together-to-authenticate-email-message-senders) +- [How Microsoft uses email authentication to check inbound mail sent to Microsoft 365](#inbound-email-authentication-for-mail-sent-to-microsoft-365) +- [How to avoid email authentication failures when sending mail to Microsoft 365](#how-to-avoid-email-authentication-failures-when-sending-mail-to-microsoft-36) -To see Microsoft's general announcement, see [A Sea of Phish Part 2 - Enhanced Anti-spoofing in Microsoft 365](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Schooling-A-Sea-of-Phish-Part-2-Enhanced-Anti-spoofing/ba-p/176209). +## Why internet email needs authentication -## Composite authentication +By design, Simple Mail Transfer Protocol (SMTP) email on the internet makes no effort to validate that the message sender is who they claim to be. -If a domain doesn't have traditional SPF, DKIM, and DMARC records, those record checks don't communicate enough authentication status information. Therefore, Microsoft has developed an algorithm for implicit email authentication. This algorithm combines multiple signals into a single value called _composite authentication_, or `compauth` for short. The `compauth` value is stamped into the **Authentication-Results** header in the message headers. +A standard SMTP email message consists of a _message envelope_ and message content: -```text -Authentication-Results: - compauth=<fail | pass | softpass | none> reason=<yyy> +- The message envelope contains information for transmitting and receiving the message between SMTP servers. The message envelope is described in [RFC 5321](https://tools.ietf.org/html/rfc5321). Recipients never see the message envelope because it's generated during the message transmission process. +- The message content contains message header fields (collectively called the _message header_) and the message body. The message header is described in [RFC 5322](https://tools.ietf.org/html/rfc5322). ++Because of this design, a message has multiple sender values: ++- The MAIL FROM address (also known as the `5321.MailFrom` address, P1 sender, or envelope sender) is the email address that's used in the transmission of the message between SMTP email servers. This address is typically recorded in the **Return-Path** header field in the message header (although the source email server can designate a different **Return-Path** email address). This email address is used in non-delivery reports (also known as NDRs or bounce messages). +- The From address (also known as the `5322.From` address or P2 sender) is the email address in the **From** header field, and is the sender's email address that's shown in email clients. ++The following example shows the simplified transcript of a valid message transmission between two SMTP email servers: ++```console +S: HELO woodgrovebank.com +S: MAIL FROM: dubious@proseware.com +S: RCPT TO: astobes@tailspintoys.com +S: DATA +S: To: "Andrew Stobes" <astobes@tailspintoys.com> +S: From: "Woodgrove Bank Security" <security@woodgrovebank.com> +S: Subject: Woodgrove Bank - Action required +S: +S: Greetings, +S: +S: We need to verify your banking details. +S: Please click the following link to verify that we have the right information for your account. +S: +S: https://short.url/woodgrovebank/updateaccount/12-121.aspx +S: +S: Thank you, +S: Woodgrove Bank +S: . ``` -These values are explained at [Authentication-results message header](message-headers-eop-mdo.md#authentication-results-message-header). +In this example: -By examining the message headers, admins and users can determine how Microsoft 365 determined that the sender is spoofed. +- The source email server identifies itself as woodgrovebank.com to the destination email server tailspintoys.com in the HELO command. +- The message recipient is `astobes@tailspintoys.com`. +- The MAIL FROM address in the message envelope (used to transmit the message between SMTP email servers) is `dubious@proseware.com`. +- The From address that's shown in the recipient's email client is `security@woodgrovebank.com`. -## Why email authentication isn't always enough to stop spoofing +Although this message is valid according to SMTP, the domain of the MAIL FROM address (proseware.com) doesn't match the domain in the From address (woodgrovebank.com). This message is a classic example of spoofing, where the intent is likely to deceive the recipient by masking the true source of the message to use in a phishing attack. -Relying only on email authentication records to determine if an incoming message is spoofed has the following limitations: +Clearly, SMTP email needs help to verify that message senders are who they claim to be! -- The source domain might lack the required DNS records, or the records are incorrectly configured.-- The source domain has correctly configured DNS records, but that domain doesn't match the domain in the From address. SPF and DKIM don't require the domain to be used in the From address. Attackers or legitimate services can register a domain, configure SPF and DKIM for the domain, and use a different domain in the From address. Messages from senders in this domain pass SPF and DKIM.+## How SPF, DKIM, and DMARC work together to authenticate email message senders -Composite authentication can address these limitations by passing messages that would otherwise fail email authentication checks. +This section describes why you need SPF, DKIM, and DMARC for domains on the internet. -For simplicity, the following examples concentrate on email authentication results. Other back-end intelligence factors could identify messages that pass email authentication as spoofed, or messages that fail email authentication as legitimate. +- **SPF**: As explained in [Set up SPF to identify valid email sources for your Microsoft 365 domain](email-authentication-spf-configure.md), SPF uses a TXT record in DNS to identify valid sources of mail from the MAIL FROM domain, and what to do if the destination email server receives mail from an undefined source ('hard fail' to reject the message; 'soft fail' to accept and mark the message). -For example, the fabrikam.com domain has no SPF, DKIM, or DMARC records. Messages from senders in the fabrikam.com domain can fail composite authentication (note the `compauth` value and reason): + **SPF issues**: -```text -Authentication-Results: spf=none (sender IP is 10.2.3.4) - smtp.mailfrom=fabrikam.com; contoso.com; dkim=none - (message not signed) header.d=none; contoso.com; dmarc=none - action=none header.from=fabrikam.com; compauth=fail reason=001 -From: chris@fabrikam.com -To: michelle@contoso.com -``` + - SPF validates sources for senders in the MAIL FROM domain only. SPF doesn't consider the domain in the From address or alignment between the MAIL FROM and From domains: + - An attacker can send email that passes SPF authentication (a false negative) by following these steps: + - Register a domain (for example, proseware.com) and configure SPF for the domain. + - Send email from a valid source for the registered domain, with the From email addresses in a different domain (for example, woodgrovebank.com). + - A legitimate email service that sends mail on behalf of other domains might control the MAIL FROM address. The other domains and the MAIL FROM domain don't match, so the messages can't pass SPF authentication (a false positive). -If fabrikam.com configures an SPF without a DKIM record, the message can pass composite authentication. The domain that passed SPF checks is aligned with the domain in the From address: + - SPF breaks after messages encounter server-based email forwarding that redirects or _relays_ messages. + - Server-based email forwarding changes the message source from the original server to the forwarding server. + - The forwarding server isn't authorized to send mail from the original MAIL FROM domain, so the message can't pass SPF authentication (a false positive). -```text -Authentication-Results: spf=pass (sender IP is 10.2.3.4) - smtp.mailfrom=fabrikam.com; contoso.com; dkim=none - (message not signed) header.d=none; contoso.com; dmarc=bestguesspass - action=none header.from=fabrikam.com; compauth=pass reason=109 -From: chris@fabrikam.com -To: michelle@contoso.com -``` + - Each domain and any subdomains require their own individual SPF records. Subdomains don't inherit the SPF record of the parent domain. This behavior becomes problematic if you want to allow email from defined and used subdomains, but prevent email from undefined and unused subdomains. -If fabrikam.com configures a DKIM record without an SPF record, the message can pass composite authentication. The domain in the DKIM signature is aligned with the domain in the From address: +- **DKIM**: As explained in [Set up DKIM to sign mail from your Microsoft 365 domain](email-authentication-dkim-configure.md), DKIM uses a domain to digitally sign important elements of the message (including the From address) and stores the signature in the message header. The destination server verifies that the signed elements of the message weren't altered. -```text -Authentication-Results: spf=none (sender IP is 10.2.3.4) - smtp.mailfrom=fabrikam.com; contoso.com; dkim=pass - (signature was verified) header.d=outbound.fabrikam.com; - contoso.com; dmarc=bestguesspass action=none - header.from=fabrikam.com; compauth=pass reason=109 -From: chris@fabrikam.com -To: michelle@contoso.com -``` + **How DKIM helps SPF**: DKIM can validate messages that fail SPF. For example: -If the domain in SPF or the DKIM signature doesn't align with the domain in the From address, the message can fail composite authentication: + - Messages from an email hosting service where the same MAIL FROM address is used for mail from other domains. + - Messages that encounter server-based email forwarding. -```text -Authentication-Results: spf=none (sender IP is 192.168.1.8) - smtp.mailfrom=maliciousdomain.com; contoso.com; dkim=pass - (signature was verified) header.d=maliciousdomain.com; - contoso.com; dmarc=none action=none header.from=contoso.com; - compauth=fail reason=001 -From: chris@contoso.com -To: michelle@fabrikam.com -``` + Because the DKIM signature in the message header isn't affected or altered in these scenarios, these messages are able to pass DKIM. ++ **DKIM issues**: The domain that DKIM uses to sign a message doesn't need to match the domain in the From address that's shown in email clients. ++ Like SPF, an attacker can send email that passes DKIM authentication (a false negative) by following these steps: ++ - Register a domain (for example, proseware.com) and configure DKIM for the domain. + - Send email with the From email addresses in a different domain (for example, woodgrovebank.com). ++- **DMARC**: As explained in [Set up DMARC to validate the From address domain for senders in Microsoft 365](email-authentication-dmarc-configure.md), DMARC uses SPF and DMARC to check for alignment between the domains in the MAIL FROM and From addresses. DMARC also specifies the action that the destination email system should take on messages that fail DMARC, and identifies where to send DMARC results (both pass and fail). ++ **How DMARC helps SPF and DKIM**: As previously described, SPF makes no attempt to match the domain in MAIL FROM domain and From addresses. DKIM doesn't care if the domain that signed the message matches the domain in the From address. ++ DMARC addresses these deficiencies by using SPF and DKIM to confirm that the domains in the MAIL FROM and From addresses match. ++ **DMARC issues**: Legitimate services that modify messages in transit before delivery break SPF, DKIM, and therefore DMARC checks. -## Solutions for legitimate senders who are sending unauthenticated email +- **ARC**: As explained in [Configure trusted ARC sealers](email-authentication-arc-configure.md), legitimate services that modify messages in transit can use ARC to preserve the original email authentication information of modified messages. -Microsoft 365 keeps track of who is sending unauthenticated email to your organization. If the service thinks the sender isn't legitimate, it marks messages from this sender as a composite authentication failure. To avoid this verdict, you can use the recommendations in this section. + **How ARC helps DMARC**: The destination email system can identify the service as a trusted ARC sealer. ARC can then use the preserved email authentication information to validate the message. -### Configure email authentication for domains you own +## Inbound email authentication for mail sent to Microsoft 365 -You can use this method to resolve intra-org spoofing and cross-domain spoofing in cases where you own or interact with multiple tenants. It also helps resolve cross-domain spoofing where you send to other customers within Microsoft 365 or third parties that are hosted by other providers. +Because of phishing concerns and less than complete adoption of strong email authentication policies by email senders on the internet, Microsoft 365 uses _implicit email authentication_ to check inbound email. Implicit email authentication extends regular SPF, DKIM, and DMARC checks by using signals from other sources to evaluate inbound email. These sources include: -- [Configure SPF records](email-authentication-spf-configure.md) for your domains.-- [Configure DKIM records](email-authentication-dkim-configure.md) for your primary domains.-- [Consider setting up DMARC records](email-authentication-dmarc-configure.md) for your domain to determine your legitimate senders.+- Sender reputation. +- Sender history. +- Recipient history. +- Behavioral analysis. +- Other advanced techniques. -Microsoft doesn't provide detailed implementation guidelines for SPF, DKIM, and DMARC records. However, that information is available online. There are also third party companies dedicated to helping your organization set up email authentication records. +To see Microsoft's original announcement about implicit authentication, see [A Sea of Phish Part 2 - Enhanced Anti-spoofing in Microsoft 365](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Schooling-A-Sea-of-Phish-Part-2-Enhanced-Anti-spoofing/ba-p/176209). -#### You don't know all sources for your email +By using these other signals, messages that would otherwise fail traditional email authentication checks can pass implicit authentication and be allowed into Microsoft 365. -Many domains don't publish SPF records because they don't know all of the email sources for messages in their domain. Start by publishing an SPF record that contains all of the email sources you know about (especially where your corporate traffic is located), and publish the enforcement rule value "soft fail" (`~all`) in the SPF record. For example: +### Composite authentication ++The results of Microsoft 365's implicit authentication checks are combined and stored in a single value named _composite authentication_ or `compauth` for short. The `compauth` value is stamped into the **Authentication-Results** header in the message headers. The **Authentication-Results** header uses the following syntax: ```text-fabrikam.com IN TXT "v=spf1 include:spf.fabrikam.com ~all" +Authentication-Results: + compauth=<fail | pass | softpass | none> reason=<yyy> ``` -This example means that email from your corporate infrastructure passes email authentication, but email from unknown sources falls back to "soft fail". Typically, email servers are configured to deliver these messages. +These values are explained at [Authentication-results message header](message-headers-eop-mdo.md#authentication-results-message-header). ++Admins and users can examine the message headers to discover how Microsoft 365 identified the sender as spoofed or legitimate. ++The following examples focus on the results of email authentication only (the `compauth` value and reason). Other Microsoft 365 protection technologies can identify messages that pass email authentication as spoofed, or identify messages that fail email authentication as legitimate. ++- **Scenario**: The fabrikam.com domain has no SPF, DKIM, or DMARC records. +- **Result**: Messages from senders in the fabrikam.com domain can fail composite authentication: -Microsoft 365 treats inbound email from your corporate infrastructure as authenticated. Email from unidentified sources might still be marked as spoof if it fails implicit authentication. However, this behavior is still an improvement from all email being marked as spoof by Microsoft 365. + ```text + Authentication-Results: spf=none (sender IP is 10.2.3.4) + smtp.mailfrom=fabrikam.com; contoso.com; dkim=none + (message not signed) header.d=none; contoso.com; dmarc=none + action=none header.from=fabrikam.com; compauth=fail reason=001 + From: chris@fabrikam.com + To: michelle@contoso.com + ``` -Once you've gotten started with an SPF fallback policy of `~all`, you can gradually discover and include more email sources for your messages, and then update your SPF record with a stricter policy. +- **Scenario**: The fabrikam.com domain has an SPF record and no DKIM record. The domains in the MAIL FROM and From addresses match. +- **Result**: The message can pass composite authentication, because the domain that passed SPF matches the domain in the From address: -### Configure permitted senders of unauthenticated email + ```text + Authentication-Results: spf=pass (sender IP is 10.2.3.4) + smtp.mailfrom=fabrikam.com; contoso.com; dkim=none + (message not signed) header.d=none; contoso.com; dmarc=bestguesspass + action=none header.from=fabrikam.com; compauth=pass reason=109 + From: chris@fabrikam.com + To: michelle@contoso.com + ``` -You can also use the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md#override-the-spoof-intelligence-verdict) and the [Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-spoofed-senders) to permit senders to transmit unauthenticated messages to your organization. +- **Scenario**: The fabrikam.com domain has a DKIM record without an SPF record. The domain that DKIM signed the message matches the domain in the From address. +- **Result**: The message can pass composite authentication, because the domain in the DKIM signature matches the domain in the From address: -For external domains, the spoofed user is the domain in the From address, while the sending infrastructure is one of the following values: + ```text + Authentication-Results: spf=none (sender IP is 10.2.3.4) + smtp.mailfrom=fabrikam.com; contoso.com; dkim=pass + (signature was verified) header.d=outbound.fabrikam.com; + contoso.com; dmarc=bestguesspass action=none + header.from=fabrikam.com; compauth=pass reason=109 + From: chris@fabrikam.com + To: michelle@contoso.com + ``` -- The source IP address (divided up into /24 CIDR ranges)-- The organizational domain of the reverse DNS (PTR) record.-- A verified DKIM domain.+- **Scenario**: The domain in the SPF record or the DKIM signature doesn't match the domain in the From address. +- **Result**: The message can fail composite authentication: -### Create an allow entry for the sender/recipient pair + ```text + Authentication-Results: spf=none (sender IP is 192.168.1.8) + smtp.mailfrom=maliciousdomain.com; contoso.com; dkim=pass + (signature was verified) header.d=maliciousdomain.com; + contoso.com; dmarc=none action=none header.from=contoso.com; + compauth=fail reason=001 + From: chris@contoso.com + To: michelle@fabrikam.com + ``` -To bypass spam filtering for some senders, but not malware or high confidence phishing, see [Create safe sender lists in Microsoft 365](create-safe-sender-lists-in-office-365.md). +## How to avoid email authentication failures when sending mail to Microsoft 36 -### Ask the sender to configure email authentication for domains you don't own +> [!TIP] +> Microsoft 365 customers can use the following methods to allow messages from senders that are identified as spoofing or authentication failures: +> +> - [Spoof intelligence insight](anti-spoofing-spoof-intelligence.md). +> - [Allow entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-spoofed-senders). +> - [Safe sender lists](create-safe-sender-lists-in-office-365.md) -Because of the problem of spam and phishing, Microsoft recommends email authentication for all email organizations. Instead of configuring manual overrides in your organization, you can ask an admin in the source domain to configure their email authentication records. +- **Configure SPF, DKIM, and DMARC records for your domains**: Use the configuration information that's provided by your domain registrar or DNS hosting service. There are also third party companies dedicated to helping set up email authentication records. -- Even if they didn't need to publish email authentication records in the past, they should do so if they send email to Microsoft.-- Set up SPF to publish the domain's sending IP addresses, and set up DKIM (if available) to digitally sign messages. They should also consider setting up DMARC records.-- If they use bulk senders to send email on their behalf, verify that the domain in the From address (if it belongs to them) aligns with the domain that passes SPF or DMARC.-- Verify the following locations (if they use them) are included in the SPF record:- - On-premises email servers. - - Email sent from a software-as-a-service (SaaS) provider. - - Email sent from a cloud-hosting service (Microsoft Azure, GoDaddy, Rackspace, Amazon Web Services, etc.). -- For small domains that are hosted by an ISP, configure the SPF record according to the instructions from the ISP.+ Many companies don't publish SPF records because they don't know all of the email sources for messages in their domain. -While it might be difficult at first to get sending domains to authenticate, but successful email delivery compels them to do so as more email filters junk or even reject their email. Also, their participation can help in the fight against phishing, and can reduce the possibility of phishing in their organization or organizations that they send email to. + 1. Start by publishing an SPF record that contains all email sources that you know about (especially where your corporate traffic is located), and use the enforcement rule value "soft fail" (`~all`). For example: -#### Information for infrastructure providers (ISPs, ESPs, or cloud hosting services) + ```text + fabrikam.com IN TXT "v=spf1 include:spf.fabrikam.com ~all" + ``` -If you host a domain's email or provide hosting infrastructure that can send email, you should do the following steps: + If you create this SPF record, Microsoft 365 treats inbound email from your corporate infrastructure as authenticated, but email from unidentified sources might still be marked as spoof if it fails composite authentication. However, this behavior is still an improvement from all email from senders in the domain being marked as spoof by Microsoft 365. Typically, destination email system accept messages from senders in the domain from unidentified sources when SPF is configured with a soft fail enforcement rule. -- Ensure your customers have documentation that explains how your customers should configure their SPF records-- Consider signing DKIM-signatures on outbound email, even if the customer doesn't explicitly set it up (sign with a default domain). You can even double-sign the email with DKIM signatures (once with the customer's domain if they have set it up, and a second time with your company's DKIM signature)+ 2. Discover and include more email sources for your messages. For example: + - On-premises email servers. + - Email sent from a software-as-a-service (SaaS) provider. + - Email sent from a cloud-hosting service (Microsoft Azure, GoDaddy, Rackspace, Amazon Web Services, etc.). -Delivery to Microsoft isn't guaranteed, even if you authenticate email originating from your platform. But, the configuration ensures that Microsoft doesn't junk your email because it isn't authenticated. + After you identify all email sources for your domain, you can update your SPF record to use the enforcement rule value "hard fail" (`-all`). -## Related links + 3. Set up DKIM to digitally sign messages. + + 4. Set up DMARC to validate that the domains in the MAIL FROM and From addresses match, to specify what to do with messages that fail DMARC checks (reject or quarantine), and to identify reporting services to monitor DMARC results. -For more information about service providers best practices, see [M3AAWG Mobile Messaging Best Practices for Service Providers](https://www.m3aawg.org/sites/default/files/m3aawg-mobile-messaging-best-practices-service-providers-2015-08_0.pdf). + 5. If you use bulk senders to send email on your behalf, verify that the domain in the From address matches the domain that passes SPF or DMARC. -Learn how Office 365 uses SPF and supports DKIM validation: +- **You host a domain's email or provide hosting infrastructure that can send email**: + - Ensure your customers have documentation that explains how to configure SPF for their domains. + - Consider DKIM signing DKIM outbound mail, even if the customer doesn't explicitly set up DKIM in their domain (sign with a default domain). You can even double-sign the email with DKIM signatures (with your company domain and the customer's domain if/when it's available). -- [More about SPF](email-authentication-anti-spoofing.md)-- [More about DKIM](email-authentication-dkim-support-about.md)+ Delivery to Microsoft isn't guaranteed, even if you authenticate email originating from your platform. But, email authentication ensures that Microsoft doesn't automatically junk email from your customer domains simply because it isn't authenticated. |
security | Email Authentication Anti Spoofing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-anti-spoofing.md | - Title: How Sender Policy Framework (SPF) prevents spoofing - - CSH ----- - MET150 -- - m365-security - - tier2 -- - seo-marvel-apr2020 -description: Learn how Microsoft 365 uses the Sender Policy Framework (SPF) TXT record in DNS to ensure that destination email systems trust messages sent from your custom domain. -- Previously updated : 6/15/2023-appliesto: - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> ---# How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing ---An _SPF TXT record_ is a record in DNS that helps prevent spoofing and phishing by identifying valid sources of messages from senders in the domain. SPF validates the origin of email messages by verifying the IP address of the sender against the alleged owner of the sending domain. --> [!NOTE] -> SPF record types were deprecated by the Internet Engineering Task Force (IETF) in 2014. Instead, ensure that you use TXT records in DNS to publish your SPF information. The rest of this article uses the term SPF TXT record for clarity. --Domain administrators publish SPF information in TXT records in DNS. The SPF information identifies authorized outbound email servers for the domain. Destination email systems verify that messages from senders in the domain came from authorized outbound email servers. If you're already familiar with SPF or you have a simple email environment, you can go to [Set up SPF in Microsoft 365 to help prevent spoofing](email-authentication-spf-configure.md) to create the SPF record for your domain. If your email environment isn't fully hosted in Microsoft 365, if you want more information about how SPF works, or if you want to troubleshoot SPF for Microsoft 365, keep reading. --> [!NOTE] -> Previously, SharePoint online required an additional SPF TXT record in your custom domain. This additional SPF TXT record is no longer required. This change should reduce the risk of SharePoint Online notification messages ending up in the Junk Email folder. If you receive the "too many lookups" error, modify your SPF TXT record as described in [Set up SPF in Microsoft 365 to help prevent spoofing](email-authentication-spf-configure.md). --## How SPF works to prevent spoofing and phishing in Microsoft 365 --SPF determines whether or not a sender is permitted to send on behalf of a domain. If the message source isn't valid for the domain (the message fails the SPF check on the destination email server), the spam policy configured on the destination email server determines what to do with the message. --A valid SPF TXT record contains the following elements: --- A declaration that this is an SPF TXT record (`v=spf1`).-- IP addresses that are allowed to send mail from the domain.-- External domains that can send on the domain's behalf (for example, `include:contoso.net include:contoso.org`).-- The destination email server also does a DNS lookup on the SPF TXT record for the specified external domains (contoso.net, then contoso.org), and then does more lookups for any other domains included in the DNS TXT records for _those_ domains. To help prevent denial of service (DoS) attacks, the maximum number of DNS lookups for a single email message is 10. Each `include:` statement in the chain of DNS TXT records counts as one DNS lookup. For tips on how to avoid this condition, see the [Troubleshooting: Best practices for SPF in Microsoft 365](#troubleshooting-best-practices-for-spf-in-microsoft-365) section later in this article. --- An enforcement rule (hard fail `-all`, soft fail `~`, or neutral `?all`). For example, if messages contain senders in contoso.com, but not from the specified IP addresses or external domains, the destination email server should apply the enforcement rule to the messages.--These elements are described in detail later in this article. --SPF works best when the path from sender to receiver is direct. For example: ---The message passes the SPF check and is authenticated at woodgrovebank.com if IP address #1 is in the SPF TXT record for contoso.com. --In this example, an attacker decides to spoof mail from contoso.com: ---The message fails the SPF check at woodgrovebank.com, and woodgrovebank.com might choose to mark the message as spam because IP address #12 isn't in the SPF TXT record for contoso.com. --One drawback of SPF is that it doesn't work on forwarded email. For example, a user at woodgrovebank.com has set up a forwarding rule to send all email to an outlook.com account: ---The message originally passes the SPF check at woodgrovebank.com, but it fails the SPF check at outlook.com because IP #25 isn't in contoso.com's SPF TXT record. Outlook.com might then mark the message as spam. To work around this problem, use SPF with other email authentication methods, such as [DKIM](email-authentication-dkim-configure.md) and [DMARC](email-authentication-dmarc-configure.md). --The rest of this article explains the elements of an SPF TXT record and describes how to create SPF TXT records in Microsoft 365. --## Create SPF TXT records for Microsoft 365 --Use the information in this article to create the SPF TXT record for your custom domain. Although there are other syntax options that aren't mentioned here, this article describes the most commonly used options. --For information about the domains you need to include for Microsoft 365, see [External DNS records required for SPF](/microsoft-365/enterprise/external-domain-name-system-records). Use the [step-by-step instructions](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider#add-or-edit-an-spf-txt-record-to-help-prevent-email-spam-outlook-exchange-online) for updating SPF (TXT) records at your domain registrar. --### SPF TXT record syntax for Microsoft 365 --A typical SPF TXT record has the following syntax: --```text -v=spf1 [<ip4>|<ip6>:<IPAddress1> <ip4>|<ip6>:<IPAddress2>... <ip4>|<ip6>:<AddressN>] [include:<DomainName1> include:<DomainName1>... include:<DomainNameN>] <enforcement rule> -``` --For example: --```text -v=spf1 ip4:192.168.0.1 ip4:192.168.0.2 include:spf.protection.outlook.com -all -``` ---- `v=spf1` is required. This text identifies the TXT record as an SPF TXT record.--- `ipv4:` or `ipv6:` indicates the type of IP address that you're using.--- Typically, the IP addresses that you specify are the outbound email servers for your organization. Instead of individual IP addresses, you can also specify IP address ranges using CIDR notation, for example `ip4:192.168.0.1/26`.--- Use `include:` statements to add domains as legitimate senders. For example, any custom domain with mailboxes in Microsoft 365 requires the value `include:spf.protection.outlook.com`. For a list of domain names you should include for Microsoft 365, see [External DNS records required for SPF](/microsoft-365/enterprise/external-domain-name-system-records).--- The enforcement rule is one of the following values:- - `-all`: Hard fail. Mark the message with 'hard fail' in the message envelope and follow the destination email server's configured spam policy for this type of message. We recommend this value in the following scenarios: - - You know all of the authorized IP addresses for mail in your domain, and those IP addresses are listed in the SPF TXT record. - - You're only using SPF, not DMARC or DKIM. -- - `~all`: Soft fail. Mark the message with 'soft fail' in the message envelope. Typically, email servers are configured to deliver these messages. Most end users don't see this mark. We recommend this value in the following scenarios only; otherwise, we recommend `-all`: - - You're unsure if you have the complete list authorized IP addresses for mail in your domain. - - You're using DMARC with `p=quarantine` or `p=reject`. -- - `?all`: Neutral. Do nothing (don't mark the message envelope). Used for testing SPF. We don't recommend using this value in your production environment. --### Example: SPF TXT record when all mail is sent by Microsoft 365 --If you have mailboxes in Microsoft 365, the SPF TXT record for your custom domain must contain the value `include:spf.protection.outlook.com`. If no other devices, services, or third-party services (for example, bulk mailing services) are authorized to send email from your domain, use the enforcement value `-all` (hard fail) as previously described. Your SPF TXT record looks like this: --```text -v=spf1 include:spf.protection.outlook.com -all -``` --### Example: SPF TXT record in hybrid environments --In hybrid environments with on-premises mailboxes and mailboxes in Microsoft 365, you also need to specify the IP addresses of all email servers, devices, or third-party services that are authorized to send email from your domain. In this example, that's 192.168.0.1, 192.168.0.2, and 192.168.0.3. If you're confident that you've identified all authorized email sources for your domain, use the enforcement value `-all` (hard fail). Your SPF TXT record looks something like this: --```text -v=spf1 ip4:192.168.0.1 ip4:192.168.0.2 ip4:192.168.0.3 include:spf.protection.outlook.com -all -``` --## Next steps --Follow the steps in [Set up SPF in Microsoft 365 to help prevent spoofing](email-authentication-spf-configure.md) to add the SPF TXT record for your custom domain at your domain registrar. --To help protect against phishing and spoofing techniques that SPF can't, you should also configure DKIM and DMARC DNS records in your domain. To get started, see [Use DKIM to validate outbound email sent from your custom domain in Microsoft 365](email-authentication-dkim-configure.md) and [Use DMARC to validate email in Microsoft 365](email-authentication-dmarc-configure.md). --## Troubleshooting: Best practices for SPF in Microsoft 365 --A domain supports only one SPF TXT record. Multiple DNS TXT records for the same domain cause a DNS lookup loop that makes SPF fail. To avoid this scenario, you can create a separate DNS TXT record for each subdomain. For example, create one DNS TXT record for contoso.com and another DNS TXT record for bulkmail.contoso.com. --As previously described, if an email message causes more than 10 DNS lookups for SPF, the destination email server responds with a permanent error (also called a _permerror_) that causes the message to fail SPF. The destination email server might also return the message in a non-delivery report (also known as an NDR or _bounce message_) that contains one of the following errors: --- The message exceeded the hop count.-- The message required too many lookups.--To avoid these errors, you can require users in your organization to send bulk email from a subdomain that's designed for that purpose (for example, bulkmail.contoso.com). You then create a different SPF TXT record for the subdomain that includes the bulk email sources. Most bulk email senders have a specific domain or subdomain that you need to add as an `include:` value in your SPF TXT record. For example, exacttarget.com directs you add or use `include:cust-spf.exacttarget.com` in your SPF TXT record. --## View your current SPF TXT record and determine the number of lookups that it requires --You can use nslookup to view your DNS records, including your SPF TXT record. There are many free, online tools that you can use to view the contents of your SPF TXT record. By looking at your SPF TXT record and following the chain of `include:` statements and redirects, you can determine how many DNS lookups are required. Some online tools even count and display these lookups for you. Keeping track of this number helps prevent SPF failures. --## For more information --Need help with adding the SPF TXT record? Read [Create DNS records at any DNS hosting provider for Microsoft 365](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider#add-or-edit-an-spf-txt-record-to-help-prevent-email-spam-outlook-exchange-online) for detailed information about using SPF with your custom domain in Microsoft 365. [Anti-spam message headers](message-headers-eop-mdo.md) includes the syntax and header fields used by Microsoft 365 for SPF checks. |
security | Email Authentication Arc Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-arc-configure.md | Title: Configure trusted ARC sealers f1.keywords: - NOCSH---+++ audience: ITPro ms.localizationpriority: high appliesto: # Configure trusted ARC sealers -In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email authentication ([SPF](email-authentication-spf-configure.md), [DKIM](email-authentication-dkim-configure.md), and [DMARC](email-authentication-dmarc-configure.md)) verify email senders for the safety of the recipients. +[Email authentication](email-authentication-about.md) helps validate mail sent to and from your Microsoft 365 organization to prevent spoofed senders that are used in business email compromise (BEC), ransomware, and other phishing attacks. -But, some legitimate services might make changes to the message between the sender and recipient. For example, changes to the message might cause source IP address of the message to change, which can cause the following email authentication failures: +But, some legitimate email services might modify messages before they're delivered to your Microsoft 365 organization. Modifying inbound messages in transit can and likely will cause the following email authentication failures in Microsoft 365: -- SPF fails because of the new IP address.-- DKIM fails because of the content modification.+- SPF fails because of the new message source (IP address). +- DKIM fails because of content modification. - DMARC fails because of the SPF and DKIM failures. -Authenticated Received Chain (ARC) helps reduce delivery failures due to legitimate email message changes by preserving the original email authentication information. You can configure your Microsoft 365 organization trust the service that modified the message, and to use that original information to help the message pass email authentication. --## ARC in Microsoft Defender for Office 365 --Services that modify message content in transit before delivery can invalidate DKIM email signatures and affect the authentication of the message. These services can use ARC to provide details of the original authentication before the modifications occurred. Your organization can then trust these details to help authenticate the message. --Trusted ARC sealers let admins add a list of *trusted* intermediaries into the Microsoft Defender portal. Trusted ARC sealers allow Microsoft to honor ARC signatures from these trusted intermediaries, preventing these legitimate messages from failing the authentication chain. --> [!NOTE] -> Trusted ARC sealers is an admin-created list of intermediary domains that use ARC sealing. When an email is routed to Microsoft 365 through an ARC trusted intermediary, Microsoft 365 validates the ARC signature and (based on the ARC results) can honor the provided authentication details. +Authenticated Received Chain (ARC) helps reduce inbound email authentication failures from message modification by legitimate email services. ARC preserves the original email authentication information at the email service. You can configure your Microsoft 365 organization to trust the service that modified the message, and to use that original information in email authentication checks. ## When to use trusted ARC sealers? -Microsoft 365 organizations need a list of trusted ARC sealers only when intermediaries are a regular part of mail flow and when messages are affected in the following ways: +A Microsoft 365 organization needs to identify trusted ARC sealers only when messages delivered to Microsoft 365 recipients are regularly affected in the following ways: -- The intermediary modifies the email header or email contents.-- The email modifications cause authentication to fail for other reasons (example, by removing attachments).+- The intermediary service modifies the message header or email content. +- The message modifications cause authentication to fail for other reasons (example, by removing attachments). -When an admin adds a trusted ARC sealer, Microsoft 365 validates and trusts the authentication results that the ARC sealer provides when delivering mail to your organization. +After an admin adds a trusted ARC sealer in the Defender portal, Microsoft 365 uses the original email authentication information that the ARC sealer provides to validate the messages sent through the service into Microsoft 365. -> [!NOTE] -> Add only legitimate, required services as trusted ARC sealers in your organization. Doing so helps affected messages pass email authentication checks, and prevents legitimate messages from being delivered to the Junk Email folder, quarantined, or rejected due to authentication failures. +> [!TIP] +> Add only legitimate, required services as trusted ARC sealers in your Microsoft 365 organization. This action helps affected messages pass email authentication checks, and prevents legitimate messages from being delivered to the Junk Email folder, quarantined, or rejected due to email authentication failures. ## What do you need to know before you begin? When an admin adds a trusted ARC sealer, Microsoft 365 validates and trusts the - You need to be assigned permissions before you can do the procedures in this article. You have the following options: - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**. - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Membership in the **Organization Management** or **Security Administrator** role groups.- - [Azure AD permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. --<a name='use-the-microsoft-365-defender-portal-to-add-trusted-arc-sealers'></a> + - [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator** or **Security Administrator** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. ## Use the Microsoft Defender portal to add trusted ARC sealers When an admin adds a trusted ARC sealer, Microsoft 365 validates and trusts the 3. In the **Add trusted ARC sealers** flyout that opens, enter the trusted signing domain in the box (for example, fabrikam.com). - The domain name must match the domain that's shown in the `d` tag in the **ARC-Seal** and **ARC-Message-Signature** headers in affected email messages. You can use Outlook to see these headers. For instructions, see [View internet message headers in Outlook](https://support.microsoft.com/office/cd039382-dc6e-4264-ac74-c048563d212c). + The domain name must match the domain that's shown in the **d** value in the **ARC-Seal** and **ARC-Message-Signature** headers in affected messages. Use the following methods to view the message header: ++ - [View internet message headers in Outlook](https://support.microsoft.com/office/cd039382-dc6e-4264-ac74-c048563d212c). + - Use the Message Header Analyzer at <https://mha.azurewebsites.net>. Repeat this step as many times as necessary. To remove an existing entry, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: next to the entry. If you'd rather use PowerShell to view, add, or remove trusted ARC sealers, conn - **Add or remove trusted ARC sealers** - To *replace* any existing ARC sealers with the values you specify, use the following syntax: + To _replace_ any existing ARC sealers with the values you specify, use the following syntax: ```powershell Set-ArcConfig -Identity [TenantId\]Default -ArcTrustedSealers "Domain1","Domain2",..."DomainN" ``` - The TenantId\ value isn't required in your own organization, only in delegated organizations. It's a GUID that's visible in many admin portal URLs in Microsoft 365 (the tid= value). For example, a32d39e2-3702-4ff5-9628-31358774c091. + The TenantId\ value isn't required in your own organization, only in delegated organizations. It's a GUID that's visible in many admin portal URLs in Microsoft 365 (the `tid=` value). For example, a32d39e2-3702-4ff5-9628-31358774c091. This example configures "cohovineyard.com" and "tailspintoys.com" as the only trusted ARC sealers in the organization. If you'd rather use PowerShell to view, add, or remove trusted ARC sealers, conn ## Validate a trusted ARC sealer -If there's an ARC seal from a third party before the message reaches Microsoft 365, check the message header for the latest ARC headers after the message is delivered. +If there's an ARC seal from a service before the message reaches Microsoft 365, check the message header for the latest ARC headers after the message is delivered. In the last **ARC-Authentication-Results** header, look for `arc=pass` and `oda=1`. These values indicate: For example: ```text ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is-40.107.65.78) smtp.rcpttodomain=microsoft.com +172.17.17.17) smtp.rcpttodomain=microsoft.com smtp.mailfrom=sampledoamin.onmicrosoft.com; dmarc=bestguesspass action=none header.from=sampledoamin.onmicrosoft.com; dkim=none (message not signed); arc=pass (0 oda=1 ltdi=1 dmarc=[1,1,header.from=sampledoamin.onmicrosoft.com]) To check whether the ARC result was used to override a DMARC failure, look for `compauth=pass` and `reason=130` in the last **Authentication-Results** header. For example: - ```text-Authentication-Results: spf=fail (sender IP is 51.163.158.241) +Authentication-Results: spf=fail (sender IP is 10.10.10.10) smtp.mailfrom=contoso.com; dkim=fail (body hash did not verify) header.d=contoso.com;dmarc=fail action=none header.from=contoso.com;compauth=pass reason=130 header.from=contoso.com;compauth=pass reason=130 ## Trusted ARC sealer mail flow diagrams -These diagrams contrast mail flow operations with and without a trusted ARC sealer when using any SPF, DKIM, and DMARC email authentication. In both diagrams, the Microsoft 365 organization uses legitimate services that must interrupt mail flow, which can violate email authentication standards by changing the source IP, and update the email message header. +The diagrams in this section contrast mail flow and the affect on email authentication results with and without a trusted ARC sealer. In both diagrams, the Microsoft 365 organization uses a legitimate email service that modifies inbound mail before delivered into Microsoft 365. This modification interrupts mail flow, which can cause email authentication failures by changing the source IP and updating the email message header. -This diagram demonstrates the result *without* a trusted ARC sealer: +This diagram demonstrates the result _without_ a trusted ARC sealer: :::image type="content" source="../../media/m365d-indirect-traffic-flow-without-trusted-arc-sealer.PNG" alt-text="Contoso publishes SPF, DKIM, and DMARC. A sender using SPF sends email from inside contoso.com to fabrikam.com, and this message passes through a legitimate third party service that modifies the sending IP address in the email header. During the DNS check at Microsoft 365, the message fails SPF due to the altered IP, and fails DKIM because the content was modified. DMARC fails because of the SPF and DKIM failures. The message is delivered to the Junk Email folder, quarantined, or rejected."::: -This diagram demonstrates the result *with* a trusted ARC sealer: +This diagram demonstrates the result _with_ a trusted ARC sealer: :::image type="content" source="../../media/m365d-indirect-traffic-flow-with-trusted-arc-sealer.PNG" alt-text="Contoso publishes SPF, DKIM, and DMARC, but also configures the required trusted ARC sealers. A sender using SPF sends email from inside contoso.com to fabrikam.com, and this message passes through a legitimate third party service that modifies the sending IP address in the email header. The service uses ARC sealing, and because the service is defined as a trusted ARC sealer in Microsoft 365, the modification is accepted. SPF fails for the new IP address. DKIM fails because of the content modification. DMARC fails because of the earlier failures. But ARC recognizes the modifications, issues a Pass, and accepts the changes. Spoof also receives a pass. The message is delivered to the Inbox."::: -## Next steps: After you set up ARC for Defender for Office 365 +## Next steps -After setup, check your ARC Headers with Message Header Analyzer at <https://mha.azurewebsites.net>. +Check your ARC Headers with Message Header Analyzer at <https://mha.azurewebsites.net>. -Review the [SPF](email-authentication-spf-configure.md), [DKIM](email-authentication-dkim-configure.md), [DMARC](email-authentication-dmarc-configure.md), configuration steps. +Review the [SPF](email-authentication-spf-configure.md), [DKIM](email-authentication-dkim-configure.md), [DMARC](email-authentication-dmarc-configure.md), configuration procedures. |
security | Email Authentication Dkim Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-dkim-configure.md | Title: How to use DKIM for email in your custom domain f1.keywords: - NOCSH--- Previously updated : 6/15/2023+++ Last updated : 1/29/2024 audience: ITPro -description: Learn how to use DomainKeys Identified Mail (DKIM) with Microsoft 365 to ensure messages sent from your custom domain are trusted by the destination email systems. +description: Learn how Microsoft 365 uses DomainKeys Identified Mail (DKIM) to sign outbound mail, and how to configure DKIM signing of outbound mail using custom domains. appliesto: appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> -# Use DKIM to validate outbound email sent from your custom domain +# Set up DKIM to sign mail from your Microsoft 365 domain [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -This article lists the steps to use DomainKeys Identified Mail (DKIM) with Microsoft 365 to ensure that destination email systems trust messages sent outbound from your custom domain. +DomainKeys Identified Mail (DKIM) is a method of [email authentication](email-authentication-about.md) that helps validate mail sent from your Microsoft 365 organization to prevent spoofed senders that are used in business email compromise (BEC), ransomware, and other phishing attacks. -In this article: +The primary purpose of DKIM is to verify that a message hasn't been altered in transit. Specifically: -- [How DKIM works better than SPF alone to prevent malicious spoofing](#how-dkim-works-better-than-spf-alone-to-prevent-malicious-spoofing)-- [Steps to Create, enable and disable DKIM from Microsoft Defender portal](#steps-to-create-enable-and-disable-dkim-from-microsoft-defender-portal)-- [Steps to manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys](#steps-to-manually-upgrade-your-1024-bit-keys-to-2048-bit-dkim-encryption-keys)-- [Steps to manually set up DKIM using PowerShell](#steps-to-manually-set-up-dkim-using-powershell)-- [Error: No DKIM keys saved for this domain](#error-no-dkim-keys-saved-for-this-domain)-- [Steps to configure DKIM for more than one custom domain](#to-configure-dkim-for-more-than-one-custom-domain)-- [Disabling the DKIM signing policy for a custom domain](#disabling-the-dkim-signing-policy-for-a-custom-domain)-- [Default behavior for DKIM and Microsoft 365](#default-behavior-for-dkim-and-microsoft-365)-- [Set up DKIM so that a third-party service can send, or spoof, email on behalf of your custom domain](#set-up-dkim-so-that-a-third-party-service-can-send-or-spoof-email-on-behalf-of-your-custom-domain)-- [Next steps: After you set up DKIM for Microsoft 365](#next-steps-after-you-set-up-dkim-for-microsoft-365)+1. One or more private keys are generated for a domain and are used by the source email system to digitally sign important parts of outbound messages. These message parts include: + - From, To, Subject, MIME-Version, Content-Type, Date, and other message header fields (depending on the source email system). + - The message body. +2. The digital signature is stored in the **DKIM-Signature** header field in the message header and remains valid as long as intermediate email systems don't modify the signed parts of the message. The signing domain is identified by the **d=** value in the **DKIM-Signature** header field. +3. The corresponding public keys are stored in DNS records for the signing domain (CNAME records in Microsoft 365; other email systems might use TXT records). +4. Destination email systems use the **d=** value in the **DKIM-Signature** header field to: + - Identify the signing domain. + - Look up the public key in the DKIM DNS record for the domain. + - Use the public key in the DKIM DNS record for the domain to verify the message signature. -> [!NOTE] -> Microsoft 365 automatically sets up DKIM for its initial 'onmicrosoft.com' domains. That means you don't need to do anything to set up DKIM for any initial domain names (for example, litware.onmicrosoft.com). For more information about domains, see [Domains FAQ](/microsoft-365/admin/setup/domains-faq#why-do-i-have-an--onmicrosoft-com--domain). +Important facts about DKIM: -DKIM is one of the trio of Authentication methods (SPF, DKIM and DMARC) that help prevent attackers from sending messages that look like they come from your domain. +- The domain that's used to DKIM sign the message isn't required to match the domain in the MAIL FROM or From addresses in the message. For more information about these addresses, see [Why internet email needs authentication](email-authentication-about.md#why-internet-email-needs-authentication). +- A message can have multiple DKIM signatures by different domains. In fact, many hosted email services sign the message using the service domain, and then sign the message again using the customer domain after the customer configures DKIM signing for the domain. -DKIM lets you add a digital signature to outbound email messages in the message header. When you configure DKIM, you authorize your domain to associate, or sign, its name to an email message using cryptographic authentication. Email systems that get email from your domain can use this digital signature to help verify whether incoming email is legitimate. +Before we get started, here's what you need to know about DKIM in Microsoft 365 based on your email domain: -In basic, a private key encrypts the header in a domain's outgoing email. The public key is published in the domain's DNS records, and receiving servers can use that key to decode the signature. DKIM verification helps the receiving servers confirm the mail is really coming from your domain and not someone *spoofing* your domain. +- **If you use only the Microsoft Online Email Routing Address (MOERA) domain for email (for example, contoso.onmicrosoft.com)**: You don't need to do anything. Microsoft automatically creates a 2048-bit public-private key pair from your initial \*.onmicrosoft.com domain. Outbound messages are automatically DKIM signed using the private key. The public key is published in a DNS record so destination email systems can verify the DKIM signature of messages. -> [!TIP] -> You can choose to do nothing about DKIM for your custom domain too. If you don't set up DKIM for your custom domain, Microsoft 365 creates a private and public key pair, enables DKIM signing, and then configures the Microsoft 365 default policy for your custom domain. + But, you can also manually configure DKIM signing using the \*.onmicrosoft.com domain. For instructions, see the [Use the Defender portal to customize DKIM signing of outbound messages using the \*.onmicrosoft.com domain](#use-the-defender-portal-to-customize-dkim-signing-of-outbound-messages-using-the-onmicrosoftcom-domain) section later in this article. ++ To verify the fact that outbound messages are automatically DKIM signed, see the [Verify DKIM signing of outbound mail from Microsoft 365](#verify-dkim-signing-of-outbound-mail-from-microsoft-365) section later in this article. ++ For more information about \*.onmicrosoft.com domains, see [Why do I have an "onmicrosoft.com" domain?](/microsoft-365/admin/setup/domains-faq#why-do-i-have-an--onmicrosoft-com--domain). - Microsoft-365's built-in DKIM configuration is sufficient coverage for most customers. However, you should manually configure DKIM for your custom domain in the following circumstances: +- **If you use one or more custom domains for email (for example, contoso.com)**: Even though all outbound mail from Microsoft 365 is automatically signed by the MOERA domain, you still have more work to do for maximum email protection: + - **Configure DKIM signing using custom domains or subdomains**: A message needs to be DKIM signed by the domain in the From address. We also recommend configuring DMARC, and DKIM passes DMARC validation only if the domain that DKIM signed the message and the domain in the From address align. -- You have more than one custom domain in Microsoft 365-- You're going to set up DMARC too (**recommended**)-- You want control over your private key-- You want to customize your CNAME records-- You want to set up DKIM keys for email originating out of a third-party domain, for example, if you use a third-party bulk mailer.+ - **Subdomain considerations**: + - For email services that aren't under your direct control (for example, bulk email services), we recommend using a subdomain (for example, marketing.contoso.com) instead of your main email domain (for example, contoso.com). You don't want issues with mail sent from those email services to affect the reputation of mail sent by employees in your main email domain. For more information about adding subdomains, see [Can I add custom subdomains or multiple domains to Microsoft 365?](/microsoft-365/admin/setup/domains-faq#can-i-add-custom-subdomains-or-multiple-domains-to-microsoft-365). + - Each subdomain that you use to send email from Microsoft 365 requires its own DKIM configuration. -## How DKIM works better than SPF alone to prevent malicious spoofing -<a name="HowDKIMWorks"> </a> + > [!TIP] + > Email authentication protection for _undefined_ subdomains is covered by DMARC. Any subdomains (defined or not) inherit the DMARC settings of the parent domain (which can be overridden per subdomain). For more information, see [Set up DMARC to validate the From address domain for senders in Microsoft 365](email-authentication-dmarc-configure.md). -SPF adds information to a message envelope but DKIM *encrypts* a signature within the message header. When you forward a message, portions of that message's envelope can be stripped away by the forwarding server. Since the digital signature stays with the email message because it's part of the email header, DKIM works even when a message has been forwarded as shown in the following example. + - **If you own registered but unused domains**: If you own registered domains that aren't used for email or anything at all (also known as _parked domains_), don't publish DKIM records for those domains. The lack of a DKIM record (hence, the lack of a public key in DNS to validate the message signature) prevents DKIM validation of forged domains. +- **DKIM alone is not enough**. For the best level of email protection for your custom domains, you also need to configure SPF and DMARC as part of your overall [email authentication](email-authentication-about.md) strategy. For more information, see the [Next Steps](#next-steps) section at the end of this article. -In this example, if you had only published an SPF TXT record for your domain, the recipient's mail server could have marked your email as spam and generated a false positive result. **The addition of DKIM in this scenario reduces *false positive* spam reporting.** Because DKIM relies on public key cryptography to authenticate and not just IP addresses, DKIM is considered a much stronger form of authentication than SPF. We recommend using both SPF and DKIM, as well as DMARC in your deployment. +The rest of this article describes the DKIM CNAME records that you need to create for custom domains in Microsoft 365, and configuration procedures for DKIM using custom domains. > [!TIP]-> DKIM uses a private key to insert an encrypted signature into the message headers. The signing domain, or outbound domain, is inserted as the value of the **d=** field in the header. The verifying domain, or recipient's domain, then uses the **d=** field to look up the public key from DNS, and authenticate the message. If the message is verified, the DKIM check passes. +> Configuring DKIM signing using a custom domain is a mixture of procedures in Microsoft 365 and procedures at the domain registrar of the custom domain. +> +> We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider). +> +> If you're unfamiliar with DNS configuration, contact your domain registrar and ask for help. -## Steps to Create, enable and disable DKIM from Microsoft Defender portal +## Syntax for DKIM CNAME records -All the accepted domains of your tenant will be shown in the Microsoft Defender portal under the DKIM page. If you do not see it, add your accepted domain from [domains page](/microsoft-365/admin/setup/add-domain#add-a-domain). -Once your domain is added, follow the steps as shown below to configure DKIM. +> [!TIP] +> You use the Defender portal or Exchange Online PowerShell to view the required CNAME values for DKIM signing of outbound messages using a custom domain. The values presented here are for illustration only. To get the values that are required for your custom domains or subdomains, use the procedures later in this article. -Step 1: On the [DKIM page](https://security.microsoft.com/dkimv2), select the domain you wish to configure. +DKIM is exhaustively described in [RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376). +The basic syntax of the DKIM CNAME records for custom domains that send mail from Microsoft 365 is: -Step 2: Click **Create DKIM keys**. You will see a pop-up window stating that you need to add CNAME records. +```text +Hostname: selector1._domainkey +Points to address or value: selector1-<CustomDomain>._domainkey.<InitialDomain> +Hostname: selector2._domainkey +Points to address or value: selector2-<CustomDomain>._domainkey.<InitialDomain> +``` -Step 3: Copy the CNAMES shown in the pop up window +- In Microsoft 365, two public-private key pairs are generated when DKIM signing using a custom domain or subdomain is enabled. The private keys that are used to sign the message are inaccessible. The CNAME records point to the corresponding public keys that are used to verify the DKIM signature. These records are known as _selectors_. + - Only one selector is active and used when DKIM signing using a custom domain is enabled. + - The second selector is inactive. It's activated and used only after any future [DKIM key rotation](#rotate-dkim-keys), and then only after the original selector is deactivated. + The selector that's used to verify the DKIM signature (which infers the private key that was used to sign the message) is stored in the **s=** value in the **DKIM-Signature** header field (for example, `s=selector1-contoso-com`). -Step 4: Publish the copied CNAME records to your DNS service provider. +- **Hostname**: The values are the same for all Microsoft 365 organizations: `selector1._domainkey` and `selector2._domainkey`. -On your DNS provider's website, add CNAME records for DKIM that you want to enable. Make sure that the fields are set to the following values for each: +- **\<CustomDomain\>**: The custom domain or subdomain with periods replaced by dashes. For example, `contoso.com` becomes `contoso-com`, or `marketing.contoso.com` becomes `marketing-contoso-com`. -```text -Record Type: CNAME (Alias) -> Host: Paste the values you copy from DKIM page. -Points to address: Copy the value from DKIM page. -TTL: 3600 (or your provider default) -``` +- **\<InitialDomain\>**: The \*.onmicrosoft.com that you used when you enrolled in Microsoft 365 (for example, contoso.onmicrosoft.com). -Step 5: Return to DKIM page to enable DKIM. +For example, your organization has the following domains in Microsoft 365: +- **Initial domain**: cohovineyardandwinery.onmicrosoft.com +- **Custom domains**: cohovineyard.com and cohowinery.com -If you see CNAME record doesn't exist error, it might be due to: +You need to create two CNAME records in each custom domain, for a total of four CNAME records: -1. Synchronization with DNS server, which might take few seconds to hours, if the problem persists repeat the steps again -2. Check for any copy paste errors, like additional space or tabs etc. +- **CNAME records in the cohovineyard.com domain**: -If you wish to disable DKIM, toggle back to disable mode. + **Hostname**: `selector1._domainkey`<br> + **Points to address or value**: `selector1-cohovineyard-com._domainkey.cohovineyardandwinery.onmicrosoft.com` -## Steps to manually upgrade your 1024-bit keys to 2048-bit DKIM encryption keys -<a name="1024to2048DKIM"> </a> + **Hostname**: `selector2._domainkey`<br> + **Points to address or value**: `selector2-cohovineyard-com._domainkey.cohovineyardandwinery.onmicrosoft.com` -> [!NOTE] -> Microsoft 365 automatically sets up DKIM for *onmicrosoft.com* domains. No steps are needed to use DKIM for any initial domain names (like litware.*onmicrosoft.com*). For more information about domains, see [Domains FAQ](/microsoft-365/admin/setup/domains-faq#why-do-i-have-an--onmicrosoft-com--domain). +- **CNAME records in the cohowinery.com domain**: -Since both 1024 and 2048 bitness are supported for DKIM keys, these directions will tell you how to upgrade your 1024-bit key to 2048 in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). The steps below are for two use-cases, please choose the one that best fits your configuration. + **Hostname**: `selector1._domainkey`<br> + **Points to address or value**: `selector1-cohowinery-com._domainkey.cohovineyardandwinery.onmicrosoft.com` -- When you **already have DKIM configured**, you rotate bitness by running the following command:+ **Hostname**: `selector2._domainkey`<br> + **Points to address or value**: `selector2-cohowinery-com._domainkey.cohovineyardandwinery.onmicrosoft.com` - ```powershell - Rotate-DkimSigningConfig -KeySize 2048 -Identity <DkimSigningConfigIdParameter> - ``` +## Configure DKIM signing of outbound messages in Microsoft 365 - **or** +### Use the Defender portal to enable DKIM signing of outbound messages using a custom domain -- For a **new implementation of DKIM**, run the following command:+> [!TIP] +> Enabling DKIM signing of outbound messages using a custom domain effectively switches DKIM signing from using the initial \*.onmicrosoft.com domain to using the custom domain. +> +> You can use a custom domain or subdomain to DKIM sign outbound mail only after the domain has been successfully added to Microsoft 365. For instructions, see [Add a domain](/microsoft-365/admin/setup/add-domain#add-a-domain). +> +> The main factor that determines when a custom domain starts DKIM signing outbound mail is the CNAME record detection in DNS. - ```powershell - New-DkimSigningConfig -DomainName <Domain for which config is to be created> -KeySize 2048 -Enabled $true - ``` +To use the procedures in this section, the custom domain or subdomain must appear on the **DKIM** tab of the **Email authentication settings** page at <https://security.microsoft.com/authentication?viewid=DKIM>. The properties of the domain in the details flyout must contain the following values: -Stay connected to Exchange Online PowerShell to *verify* the configuration by running the following command: -```powershell -Get-DkimSigningConfig -Identity <Domain for which the configuration was set> | Format-List -``` +- The **Sign messages for this domain with DKIM signatures** toggle is set to **Disabled** :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::. +- The **Status** value is **Not signing DKIM signatures for the domain**. +- **Create DKIM keys** isn't present. **Rotate DKIM keys** is visible, but is grayed out. -> [!TIP] -> This new 2048-bit key takes effect on the RotateOnDate, and will send emails with the 1024-bit key in the interim. After four days, you can test again with the 2048-bit key (that is, once the rotation takes effect to the second selector). +Proceed if the domain satisfies these requirements. -If you want to rotate to the second selector, after four days and confirming that 2048-bitness is in use, manually rotate the second selector key by using the appropriate cmdlet listed above. +1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>. -For detailed syntax and parameter information, see the following articles: [Rotate-DkimSigningConfig](/powershell/module/exchange/rotate-dkimsigningconfig), [New-DkimSigningConfig](/powershell/module/exchange/new-dkimsigningconfig), and [Get-DkimSigningConfig](/powershell/module/exchange/get-dkimsigningconfig). +2. On the **Email authentication settings** page, select the **DKIM** tab. -## Steps to manually set up DKIM using PowerShell -<a name="SetUpDKIMO365"> </a> +3. On the **DKIM** tab, select the custom domain to configure by clicking anywhere in the row other than the check box next to the name. -To configure DKIM, you will complete these steps: + :::image type="content" source="../../media/email-auth-dkim-domain-list.png" alt-text="The DKIM tab of the Email authentication page in the Defender portal." lightbox="../../media/email-auth-dkim-domain-list.png"::: -- [Publish two CNAME records for your custom domain in DNS](email-authentication-dkim-configure.md#Publish2CNAME)-- [Enable DKIM signing for your custom domain](email-authentication-dkim-configure.md#EnableDKIMinO365)+4. In the domain details flyout that opens, select the **Sign messages for this domain with DKIM signatures** toggle that's currently set to **Disabled** :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::. -### Publish two CNAME records for your custom domain in DNS -<a name="Publish2CNAME"> </a> + Note the **Last checked date** value. -For each domain for which you want to add a DKIM signature in DNS, you need to publish two CNAME records. +5. A **Client error** dialog opens. The error contains the values to use in the two CNAME records that you create at the domain registrar for the domain. -> [!NOTE] -> If you haven't read the full article, you might have missed this time-saving PowerShell connection information: [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). + In this example, the custom domain is contoso.com and the initial domain for the Microsoft 365 organization is contoso.onmicrosoft.com. The error message looks like this: -Run the following commands in Exchange Online PowerShell to create the selector records: + ```text + |Microsoft.Exchange.ManagementTasks.ValidationException|CNAME record does not + exist for this config. Please publish the following two CNAME records first. Domain Name + : contoso.com Host Name : selector1._domainkey Points to address or value: selector1- + contoso-com._domainkey.contoso.onmicrosoft.com Host Name : selector2._domainkey + Points to address or value: selector2-contoso-com._domainkey.contoso.onmicrosoft.com . + If you have already published the CNAME records, sync will take a few minutes to as + many as 4 days based on your specific DNS. Return and retry this step later. + ``` -```powershell -New-DkimSigningConfig -DomainName <domain> -Enabled $false + Therefore, the CNAME records that you need to create in DNS for the contoso.com domain are: -Get-DkimSigningConfig -Identity <domain> | Format-List Selector1CNAME, Selector2CNAME -``` + **Hostname**: `selector1._domainkey`<br> + **Points to address or value**: `selector1-contoso-com._domainkey.contoso.onmicrosoft.com` -If you have provisioned custom domains in addition to the initial domain in Microsoft 365, you must publish two CNAME records for each additional domain. So, if you have two domains, you must publish two additional CNAME records, and so on. + **Hostname**: `selector2._domainkey`<br> + **Points to address or value**: `selector2-contoso-com._domainkey.contoso.onmicrosoft.com` -Use the following format for the CNAME records. + Copy the information from the error dialog (select the text and press CTRL+C), and then select **OK**. -> [!IMPORTANT] -> If you are one of our GCC High customers, we calculate _customDomainIdentifier_ differently! Instead of looking up the MX record for your _initialDomain_ to calculate _customDomainIdentifier_, instead we calculate it directly from the customized domain. For example, if your customized domain is "contoso.com" your _customDomainIdentifier_ becomes "contoso-com", any periods are replaced with a dash. So, regardless of what MX record your _initialDomain_ points to, you'll always use the above method to calculate the _customDomainIdentifier_ to use in your CNAME records. + Leave the domain details flyout open. -```console -Host name: selector1._domainkey -Points to address or value: selector1-<customDomainIdentifier>._domainkey.<initialDomain> -TTL: 3600 +6. In another browser tab or window, go to the domain registrar for the domain, and then create the two CNAME records using the information from the previous step. -Host name: selector2._domainkey -Points to address or value: selector2-<customDomainIdentifier>._domainkey.<initialDomain> -TTL: 3600 -``` + We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider). -Where: + It takes a few minutes (or possibly longer) for Microsoft 365 to detect the new CNAME records that you created. -- For Microsoft 365, the selectors will always be "selector1" or "selector2".-- _customDomainIdentifier_ is the same as the _customDomainIdentifier_ in the customized MX record for your custom domain that appears before mail.protection.outlook.com. For example, in the following MX record for the domain contoso.com, the _customDomainIdentifier_ is contoso-com:+7. After a while, return to the domain properties flout that you left open in Step 5, and select the **Sign messages for this domain with DKIM signatures** toggle. - > contoso.com. 3600 IN MX 5 contoso-com.mail.protection.outlook.com + After a few seconds, the following dialog opens: -- _initialDomain_ is the domain that you used when you signed up for Microsoft 365. Initial domains always end in onmicrosoft.com. For information about determining your initial domain, see [Domains FAQ](/microsoft-365/admin/setup/domains-faq#why-do-i-have-an--onmicrosoft-com--domain).+ :::image type="content" source="../../media/email-auth-dkim-domain-properties-cname-detected.png" alt-text="The dialog that opens when you try to enable DKIM signing for the domain." lightbox="../../media/email-auth-dkim-domain-properties-cname-detected.png"::: -For example, if you have an initial domain of cohovineyardandwinery.onmicrosoft.com, and two custom domains cohovineyard.com and cohowinery.com, you would need to set up two CNAME records for each additional domain, for a total of four CNAME records. + After you select **OK** to close the dialog, verify the following settings on the details flyout: -```console -Host name: selector1._domainkey -Points to address or value: selector1-cohovineyard-com._domainkey.cohovineyardandwinery.onmicrosoft.com -TTL: 3600 + - The **Sign messages for this domain with DKIM signatures** toggle is set to **Enabled** :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::. + - The **Status** value is **Signing DKIM signatures for this domain**. + - **Rotate DKIM keys** is available. + - **Last checked date**: The date and time should be more recent than the original value in Step 4. -Host name: selector2._domainkey -Points to address or value: selector2-cohovineyard-com._domainkey.cohovineyardandwinery.onmicrosoft.com -TTL: 3600 + :::image type="content" source="../../media/email-auth-dkim-domain-properties-rotate-keys.png" alt-text="The domain details flyout after DKIM is enabled for the domain." lightbox="../../media/email-auth-dkim-domain-properties-create-dkim.png"::: -Host name: selector1._domainkey -Points to address or value: selector1-cohowinery-com._domainkey.cohovineyardandwinery.onmicrosoft.com -TTL: 3600 +### Use the Defender portal to customize DKIM signing of outbound messages using the \*.onmicrosoft.com domain -Host name: selector2._domainkey -Points to address or value: selector2-cohowinery-com._domainkey.cohovineyardandwinery.onmicrosoft.com -TTL: 3600 -``` +As described earlier in this article, the initial \*.onmicrosoft.com domain is automatically configured to sign all outbound mail from your Microsoft 365 organization, and you should [configure custom domains to DKIM signing of outbound messages](#use-the-defender-portal-to-enable-dkim-signing-of-outbound-messages-using-a-custom-domain). -> [!NOTE] -> It's important to create CNAME records for both selectors in the DNS, but only one (active) selector is published with the public key at the time of creation. This behavior is expected and doesn't affect DKIM signing for your custom domains. The second selector will be published with the public key after any future key rotation when it becomes active. +But, you can also use the procedures in this section to affect DKIM signing using the \*.onmicrosoft.com domain: -### Steps to enable DKIM signing for your custom domain using PowerShell -<a name="EnableDKIMinO365"> </a> +- Generate new keys. The new keys are automatically added and used in the Microsoft 365 datacenters. +- Have the properties of the \*.onmicrosoft.com domain appear correctly in the details flyout of the domain on the **DKIM** tab of the **Email authentication settings** page at <https://security.microsoft.com/authentication?viewid=DKIM> or in PowerShell. This result allows for future operations on the DKIM configuration for the domain (for example, [manual key rotation](#rotate-dkim-keys)). -Once you have published the CNAME records in DNS, replace \<Domain\> with your domain name, and then run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to enable DKIM signing through Microsoft 365: +To use the procedures in this section, the \*.onmicrosoft.com domain must appear on the **DKIM** tab of the **Email authentication settings** page at <https://security.microsoft.com/authentication?viewid=DKIM>. The properties of the \*.onmicrosoft.com domain in the details flyout must contain the following values: -```powershell -Set-DkimSigningConfig -Identity <Domain> -Enabled $true -``` ++- The **Sign messages for this domain with DKIM signatures** toggle isn't available. +- The **Status** value is **No DKIM keys saved for this domain**. +- **Create DKIM keys** is present. ++Proceed if the domain satisfies these requirements. ++1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>. ++2. On the **Email authentication settings** page, select the **DKIM** tab. ++3. On the **DKIM** tab, select the \*.onmicrosoft.com domain to configure by clicking anywhere in the row other than the check box next to the name. ++ :::image type="content" source="../../media/email-auth-dkim-domain-list.png" alt-text="The DKIM tab of the Email authentication page in the Defender portal." lightbox="../../media/email-auth-dkim-domain-list.png"::: ++4. In the domain details flyout that opens, select **Create DKIM keys**. ++ :::image type="content" source="../../media/email-auth-dkim-domain-properties-create-dkim.png" alt-text="The domain details flyout with the Create DKIM keys button." lightbox="../../media/email-auth-dkim-domain-properties-create-dkim.png"::: ++5. When DKIM key creation is finished, the **Publish CNAMEs dialog** opens. Select **Close**. ++ You can't create the CNAME records for the \*.onmicrosoft.com domain, so you don't need to copy the values. Microsoft takes care of the required DNS configuration for you. -For detailed syntax and parameter information, see [Set-DkimSigningConfig](/powershell/module/exchange/set-dkimsigningconfig). +6. After you select **Close**, you're back on the domain details flyout where the **Sign messages for this domain with DKIM signatures** toggle is **Disabled** :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::. -## Error: No DKIM keys saved for this domain -<a name="NoDKIMKeys"> </a> + :::image type="content" source="../../media/email-auth-dkim-domain-properties-create-dkim-unavailable.png" alt-text="The domain details tab with DKIM signing disabled." lightbox="../../media/email-auth-dkim-domain-properties-create-dkim-unavailable.png"::: -If you're configuring DKIM for the first time and see the error 'No DKIM keys saved for this domain', you need to use Exchange Online PowerShell to enable DKIM signing. + Slide the **Sign messages for this domain with DKIM signatures** toggle to **Enabled** :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::, and then select **OK** in the confirmation dialog that opens. + :::image type="content" source="../../media/email-auth-dkim-domain-properties-rotate-keys.png" alt-text="The domain details tab with DKIM signing enabled and DKIM signatures configured for the domain." lightbox="../../media/email-auth-dkim-domain-properties-rotate-keys.png"::: -1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). + When you're finished in the domain details flyout, select **Close**. -2. Use the following syntax: +### Use Exchange Online PowerShell to configure DKIM signing of outbound messages ++If you'd rather use PowerShell to enable DKIM signing of outbound messages using a custom domain, or to customize DKIM signing for the \*.onmicrosoft.com domain, connect to [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to run the following commands. ++> [!TIP] +> Before you can configure DKIM signing using the custom domain, you need to add the domain to Microsoft 365. For instructions, see [Add a domain](/microsoft-365/admin/setup/add-domain#add-a-domain). To confirm that the custom domain is available for DKIM configuration, run the following command: `Get-AcceptedDomain`. +> +> As described earlier in this article, your \*.onmicrosoft.com domain is already signing outbound email by default. Typically, unless you've manually configured DKIM signing for the \*.onmicrosoft.com domain in the Defender portal or in PowerShell, the \*.onmicrosoft.com doesn't appear in the output of **Get-DkimSigningConfig**. ++1. Run the following command to verify the availability and DKIM status of all domains in the organization: ```powershell- Set-DkimSigningConfig -Identity <Domain> -Enabled $true + Get-DkimSigningConfig | Format-List Name,Enabled,Status,Selector1CNAME,Selector2CNAME ``` - \<Domain\> is the name of the custom domain that you want to enable DKIM signing for. +2. For the domain that you want to configure DKIM signing for, the output of the command in Step 1 determines what you need to do next: - This example enables DKIM signing for the domain contoso.com: + - The domain is listed with the following values: + - **Enabled**: False + - **Status**: `CnameMissing` - ```powershell - Set-DkimSigningConfig -Identity contoso.com -Enabled $true + Go to Step 3 to copy the selector values. ++ Or ++ - The domain isn't listed: ++ 1. Replace \<Domain\> with the domain value, and then run the following command: ++ ```powershell + New-DkimSigningConfig -DomainName <Domain> -Enabled $false [-BodyCanonicalization <Relaxed | Simple>] [-HeaderCanonicalization <Relaxed | Simple>] [-KeySize <1024 | 2048>] + ``` ++ - The _BodyCanonicalization_ parameter specifies the sensitivity level to changes in the message body: + - Relaxed: Changes in whitespace and changes in empty lines at the end of the message body are tolerated. This is the default value. + - Simple: Only changes in empty lines at the end of the message body are tolerated. + - The _HeaderCanonicalization_ parameter specifies the sensitivity level to changes in the message header: + - Relaxed: Common modifications to the message header are tolerated. For example, header field line rewrapping, changes in unnecessary whitespace or empty lines, and changes in case for header fields. This is the default value. + - Simple: No changes to the header fields are tolerated. + - The _KeySize_ parameter specifies the bit size of the public key in the DKIM record: + - 1024. This is the default value. + - 2048. ++ For example: ++ ```powershell + New-DkimSigningConfig -DomainName contoso.com -Enabled $false + ``` ++ 2. Run the command from Step 1 again to confirm that the domain is listed with the following property values: + - **Enabled**: False + - **Status**: `CnameMissing` ++ 3. Go to Step 3 to copy the selector values. ++3. Copy the **Selector1CNAME** and **Selector2CNAME** values for the domain from the output of the command from Step 1. ++ The CNAME records that you need to create at the domain registrar for the domain look like this: ++ **Hostname**: `selector1._domainkey`<br> + **Points to address or value**: `<Selector1CNAME value>` ++ **Hostname**: `selector2._domainkey`<br> + **Points to address or value**: `<Selector2CNAME value>` ++ For example: ++ **Hostname**: `selector1._domainkey`<br> + **Points to address or value**: `selector1-contoso-com._domainkey.contoso.onmicrosoft.com` ++ **Hostname**: `selector2._domainkey`<br> + **Points to address or value**: `selector2-contoso-com._domainkey.contoso.onmicrosoft.com` ++4. Do one of the following steps: ++ - **Custom domain**: At the domain registrar for the domain, create the two CNAME records using the information from the previous step. ++ We provide instructions to create CNAME records for different Microsoft 365 services at many domain registrars. You can use these instructions as a starting point to create the DKIM CNAME records. For more information, see [Add DNS records to connect your domain](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider). ++ It takes a few minutes (or possibly longer) for Microsoft 365 to detect the new CNAME records that you created. ++ - **\*.onmicrosoft.com domain**: Go to Step 5. ++5. After a while, return to Exchange Online PowerShell, replace \<Domain\> with the domain that you configured, and run the following command: ++ ```powerShell + Set-DkimConfig -Identity \<Domain\> -Enabled $true [-BodyCanonicalization <Relaxed | Simple>] [-HeaderCanonicalization <Relaxed | Simple>] + ``` ++ - The _BodyCanonicalization_ parameter specifies the sensitivity level to changes in the message body: + - Relaxed: Changes in whitespace and changes in empty lines at the end of the message body are tolerated. This is the default value. + - Simple: Only changes in empty lines at the end of the message body are tolerated. + - The _HeaderCanonicalization_ parameter specifies the sensitivity level to changes in the message header: + - Relaxed: Common modifications to the message header are tolerated. For example, header field line rewrapping, changes in unnecessary whitespace or empty lines, and changes in case for header fields. This is the default value. + - Simple: No changes to the header fields are tolerated. ++ For example: ++ ```powerShell + Set-DkimConfig -Identity contoso.com -Enabled $true ``` -For detailed syntax and parameter information, see [Set-DkimSigningConfig](/powershell/module/exchange/set-dkimsigningconfig). + Or -#### To Confirm DKIM signing is configured properly for Microsoft 365 + ```powerShell + Set-DkimConfig -Identity contoso.onmicrosoft.com -Enabled $true + ``` -Wait a few minutes before you follow these steps to confirm that you have properly configured DKIM. This allows time for the DKIM information about the domain to be spread throughout the network. + - For a custom domain, if Microsoft 365 is able to detect the CNAME records at the domain registrar, the command runs without error, and the domain is now used to DKIM sign outbound messages from the domain. -- Send a message from an account within your Microsoft 365 DKIM-enabled domain to another email account such as outlook.com or Hotmail.com.-- Do not use an aol.com account for testing purposes. AOL may skip the DKIM check if the SPF check passes. This will nullify your test.-- Open the message and look at the header. Instructions for viewing the header for the message will vary depending on your messaging client. For instructions on viewing message headers in Outlook, see [View internet message headers in Outlook](https://support.microsoft.com/office/cd039382-dc6e-4264-ac74-c048563d212c).+ If the CNAME records aren't detected, you get an error that contains the values to use in the CNAME records. Check for typos in the values at the domain registrar (easy to do with the dashes, periods, and underlines!), wait a while longer, and then run the command again. - The DKIM-signed message will contain the host name and domain you defined when you published the CNAME entries. The message will look something like this example: + - For a \*.onmicrosoft.com domain that previously wasn't listed, the command runs without error. - ```console - From: Example User <example@contoso.com> - DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; - s=selector1; d=contoso.com; t=1429912795; - h=From:To:Message-ID:Subject:MIME-Version:Content-Type; - bh=<body hash>; - b=<signed field>; - ``` +6. To verify that the domain is now configured to DKIM sign messages, run the command from Step 1. -- Look for the Authentication-Results header. While each receiving service uses a slightly different format to stamp the incoming mail, the result should include something like **DKIM=pass** or **DKIM=OK**.+ The domain should have the following property values: -> [!IMPORTANT] -> The DKIM signature is **omitted** under any of the following conditions: -> -> - The sender and recipient email addresses are in the same domain. -> - The sender and recipient email addresses are in different domains that are controlled by the same organization. -> -> In both cases, the header will look similar to this: + - **Enabled**: True + - **Status**: `Valid` ++For detailed syntax and parameter information, see the following articles: ++- [Get-DkimSigningConfig](/powershell/module/exchange/get-dkimsigningconfig) +- [New-DkimSigningConfig](/powershell/module/exchange/new-dkimsigningconfig) +- [Set-DkimSigningConfig](/powershell/module/exchange/set-dkimsigningconfig) ++## Rotate DKIM keys ++For the same reasons that you should periodically change passwords, you should periodically change the DKIM key that's used for DKIM signing. Replacing the DKIM key for a domain is known as _DKIM key rotation_. ++The relevant information about DKIM key rotation for a domain Microsoft 365 is shown in the output of the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell): ++```powershell +Get-DkimSigningConfig -Identity <CustomDomain> | Format-List +``` ++- **KeyCreationTime**: The UTC date/time that the DKIM public-private key pair was created. +- **RotateOnDate**: The date/time of the previous or next DKIM key rotation. +- **SelectorBeforeRotateOnDate**: Remember, DKIM signing using a custom domain in Microsoft 365 requires two CNAME records in the domain. This property shows the CNAME record that DKIM uses before the **RotateOnDate** date-time (also known as a _selector_). The value is `selector1` or `selector2` and is different than the **SelectorAfterRotateOnDate** value. +- **SelectorAfterRotateOnDate**: Shows the CNAME record that DKIM uses after the **RotateOnDate** date-time. The value is `selector1` or `selector2` and is different than the **SelectorBeforeRotateOnDate** value. ++When you do a DKIM key rotation on a domain as described in this section, the change isn't immediate. It takes four days (96 hours) for the new private key to start signing messages (the **RotateOnDate** date/time and the corresponding **SelectorAfterRotateOnDate** value). Until then, the existing private key is used (the corresponding **SelectorBeforeRotateOnDate** value). ++> [!TIP] +> The main factor that determines when a custom domain starts DKIM signing outbound mail is the CNAME record detection in DNS. ++To confirm the corresponding public key that's used to verify the DKIM signature (which infers the private key that was used to sign the message), check the **s=** value in the **DKIM-Signature** header field (the selector; for example, `s=selector1-contoso-com`). ++> [!TIP] +> For custom domains, you can rotate DKIM keys only on domains that are enabled for DKIM signing (the **Status** value is Enabled). >-> ```console -> Authentication-Results: dkim=none (message not signed) header.d=none; -> dmarc=none action=none header.from=<sender_domain>; -> ``` +> Currently, there's no automatic DKIM key rotation for the \*.onmicrosoft.com domain. You can manually rotate the DKIM keys as described in this section. If **Rotate DKIM keys** isn't available in the properties of the \*.onmicrosoft.com domain, use the procedures in the [Use the Defender portal to customize DKIM signing of outbound messages using the \*.onmicrosoft.com domain](#use-the-defender-portal-to-customize-dkim-signing-of-outbound-messages-using-the-onmicrosoftcom-domain) section earlier in this article. ++### Use the Defender portal to rotate DKIM keys for a custom domain ++1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>. ++2. On the **Email authentication settings** page, select the **DKIM** tab. -## To configure DKIM for more than one custom domain -<a name="DKIMMultiDomain"> </a> +3. On the **DKIM** tab, select the domain to configure by clicking anywhere in the row other than the check box next to the name. -If at some point in the future you decide to add another custom domain and you want to enable DKIM for the new domain, you must complete the steps in this article for each domain. Specifically, complete all steps in [What you need to do to manually set up DKIM](email-authentication-dkim-configure.md#SetUpDKIMO365). + :::image type="content" source="../../media/email-auth-dkim-domain-list.png" alt-text="The DKIM tab of the Email authentication page in the Defender portal." lightbox="../../media/email-auth-dkim-domain-list.png"::: -## Disabling the DKIM signing policy for a custom domain -<a name="DisableDKIMSigningPolicy"> </a> +4. In the domain details flyout that opens, select **Rotate DKIM keys**. -Disabling the signing policy does not completely disable DKIM. After a period of time, Microsoft 365 will automatically apply the default policy for your domain, if the default policy is still in the enabled state. If you wish to completely disable DKIM, you need to disable DKIM on both the custom and default domains. For more information, see [Default behavior for DKIM and Microsoft 365](email-authentication-dkim-configure.md#DefaultDKIMbehavior). + :::image type="content" source="../../media/email-auth-dkim-domain-properties-rotate-keys.png" alt-text="The domain details flyout with the Rotate DKIM keys button." lightbox="../../media/email-auth-dkim-domain-properties-rotate-keys.png"::: -### To disable the DKIM signing policy by using Windows PowerShell +5. The settings in the details flyout change to the following values: + - **Status**: Rotating keys for this domain and signing DKIM signatures. + - **Rotate DKIM keys** is grayed out. -1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). +6. After four days (96 hours), the new DKIM key begins to sign outbound messages for the custom domain. Until then, the current DKIM key is used. -2. Run one of the following commands for each domain for which you want to disable DKIM signing. + You can tell when the new DKIM key is being used when the **Status** value changes from **Rotating keys for this domain and signing DKIM signatures** to **Signing DKIM signatures for this domain**. ++ To confirm the corresponding public key that's used to verify the DKIM signature (which infers the private key that was used to sign the message), check the **s=** value in the **DKIM-Signature** header field (the selector; for example, `s=selector1-contoso-com`). ++#### Use Exchange Online PowerShell to rotate the DKIM keys for a domain and change the bit depth ++If you'd rather use PowerShell to rotate DKIM keys for a domain, connect to [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to run the following commands. ++1. Run the following command to verify the availability and DKIM status of all domains in the organization: ```powershell- $p = Get-DkimSigningConfig -Identity <Domain> - $p[0] | Set-DkimSigningConfig -Enabled $false + Get-DkimSigningConfig | Format-List Name,Enabled,Status,Selector1CNAME,Selector1KeySize,Selector2CNAME,Selector2KeySize,KeyCreationTime,RotateOnDate,SelectorBeforeRotateOnDate,SelectorAfterRotateOnDate ``` - For example: +2. For the domain that you want to rotate DKIM keys for, use the following syntax: ```powershell- $p = Get-DkimSigningConfig -Identity contoso.com - $p[0] | Set-DkimSigningConfig -Enabled $false + Rotate-DkimSigningConfig -Identity <CustomDomain> [-KeySize <1024 | 2048>] ``` - Or + If you don't want to change the bit depth of the new DKIM keys, don't use the _KeySize_ parameter. ++ This example rotates DKIM keys for the contoso.com domain and changes to a 2048-bit key. ```powershell- Set-DkimSigningConfig -Identity $p[<number>].Identity -Enabled $false + Rotate-DkimSigningConfig -Identity contoso.com -KeySize 2048 ``` - Where _number_ is the index of the policy. For example: + This example rotates DKIM keys for the contoso.com domain without changing the key bit depth. ```powershell- Set-DkimSigningConfig -Identity $p[0].Identity -Enabled $false + Rotate-DkimSigningConfig -Identity contoso.com ``` -## Default behavior for DKIM and Microsoft 365 -<a name="DefaultDKIMbehavior"> </a> +3. Run the command from Step 1 again to confirm the following property values: -If you do not enable DKIM, Microsoft 365 automatically creates a 2048-bit DKIM public key for your Microsoft Online Email Routing Address (MOERA)/initial domain and the associated private key which we store internally in our datacenter. By default, Microsoft 365 uses a default signing configuration for domains that do not have a policy in place. This means that if you do not set up DKIM yourself, Microsoft 365 will use its default policy and keys it creates to enable DKIM for your domain. + - **KeyCreationTime** + - **RotateOnDate** + - **SelectorBeforeRotateOnDate** + - **SelectorAfterRotateOnDate**: -Also, if you disable DKIM signing on your custom domain after enabling it, after a period of time, Microsoft 365 will automatically apply the MOERA/initial domain policy for your custom domain. + Destination email systems use the public key in the CNAME record that's identified by the **SelectorBeforeRotateOnDate** property to verify the DKIM signature in messages (which infers the private key that was used to DKIM sign the message). -In the following example, suppose that DKIM for fabrikam.com was enabled by Microsoft 365, not by the administrator of the domain. This means that the required CNAMEs do not exist in DNS. DKIM signatures for email from this domain will look something like this: + After the **RotateOnDate** date/time, DKIM uses the new private key to sign messages, and destination email systems use the corresponding public key in the CNAME record that's identified by the **SelectorAfterRotateOnDate** property to verify the DKIM signature in messages. -```console -From: Second Example <second.example@fabrikam.com> -DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; - s=selector1-fabrikam-com; d=contoso.onmicrosoft.com; t=1429912795; - h=From:To:Message-ID:Subject:MIME-Version:Content-Type; - bh=<body hash>; - b=<signed field>; -``` + To confirm the corresponding public key that's used to verify the DKIM signature (which infers the private key that was used to sign the message), check the **s=** value in the **DKIM-Signature** header field (the selector; for example, `s=selector1-contoso-com`). -In this example, the host name and domain contain the values to which the CNAME would point if DKIM-signing for fabrikam.com had been enabled by the domain administrator. Eventually, every single message sent from Microsoft 365 will be DKIM-signed. If you enable DKIM yourself, the domain will be the same as the domain in the From: address, in this case fabrikam.com. If you don't, it will not align and instead will use your organization's initial domain. For information about determining your initial domain, see [Domains FAQ](/microsoft-365/admin/setup/domains-faq#why-do-i-have-an--onmicrosoft-com--domain). +For detailed syntax and parameter information, see the following articles: -## Set up DKIM so that a third-party service can send, or spoof, email on behalf of your custom domain -<a name="SetUp3rdPartyspoof"> </a> +- [Get-DkimSigningConfig](/powershell/module/exchange/get-dkimsigningconfig) +- [Rotate-DkimSigningConfig](/powershell/module/exchange/rotate-dkimsigningconfig) -Some bulk email service providers, or software-as-a-service providers, let you set up DKIM keys for email that originates from their service. This requires coordination between yourself and the third-party in order to set up the necessary DNS records. Some third-party servers can have their own CNAME records with different selectors. No two organizations do it exactly the same way. Instead, the process depends entirely on the organization. +## Disable DKIM signing of outbound messages using a custom domain -An example message showing a properly configured DKIM for contoso.com and bulkemailprovider.com might look like this: +As described earlier in this article, enabling DKIM signing of outbound messages using a custom domain effectively switches DKIM signing from using the \*.onmicrosoft.com domain to using the custom domain. -```console -Return-Path: <communication@bulkemailprovider.com> - From: <sender@contoso.com> - DKIM-Signature: s=s1024; d=contoso.com - Subject: Here is a message from Bulk Email Provider's infrastructure, but with a DKIM signature authorized by contoso.com -``` +When you disable DKIM signing using a custom domain, you aren't completely disabling DKIM signing for outbound mail. DKIM signing eventually switches back to using the \*.onmicrosoft domain. -In this example, in order to achieve this result: +### Use the Defender portal to disable DKIM signing of outbound messages using a custom domain -1. Bulk Email Provider gave Contoso a public DKIM key. +1. In the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Threat policies** \> **Email authentication settings** page. Or, to go directly to the **Email authentication settings** page, use <https://security.microsoft.com/authentication>. -2. Contoso published the DKIM key to its DNS record. +2. On the **Email authentication settings** page, select the **DKIM** tab. -3. When sending email, Bulk Email Provider signs the key with the corresponding private key. By doing so, Bulk Email Provider attached the DKIM signature to the message header. +3. On the **DKIM** tab, select the domain to configure by clicking anywhere in the row other than the check box next to the name. -4. Receiving email systems perform a DKIM check by authenticating the DKIM-Signature d=\<domain\> value against the domain in the From: (5322.From) address of the message. In this example, the values match: +4. In the domain details flyout that opens, slide the **Sign messages for this domain with DKIM signatures** toggle to **Disabled** :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::. - > sender@**contoso.com** + :::image type="content" source="../../media/email-auth-dkim-domain-properties-rotate-keys.png" alt-text="The domain details flyout with the Rotate DKIM keys button." lightbox="../../media/email-auth-dkim-domain-properties-create-dkim.png"::: - > d=**contoso.com** +#### Use Exchange Online PowerShell to disable DKIM signing of outbound messages using a custom domain -## Identify domains that do not send email +If you'd rather use PowerShell to disable DKIM signing of outbound messages using a custom domain, connect to [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) to run the following commands. -Organizations should explicitly state if a domain does not send email by specifying `v=DKIM1; p=` in the DKIM record for those domains. This advises receiving email servers that there are no valid public keys for the domain, and any email claiming to be from that domain should be rejected. You should do this for each domain and subdomain using a wildcard DKIM. +1. Run the following command to verify the availability and DKIM status of all domains in the organization: -For example, the DKIM record would look like this: + ```powershell + Get-DkimSigningConfig | Format-List Name,Enabled,Status + ``` -```console -*._domainkey.SubDomainThatShouldntSendMail.contoso.com. TXT "v=DKIM1; p=" -``` + Any custom domain that you can disable DKIM signing for has the following property values: ++ - **Enabled**: True + - **Status**: `Valid` ++2. For the domain that you want to disable DKIM signing for, use the following syntax: ++ ```powershell + Set-DkimSigningConfig -Identity <CustomDomain> -Enabled $false + ``` ++ This example disables DKIM signing using the custom domain contoso.com. ++ ```powershell + Set-DkimSigningConfig -Identity contoso.com -Enabled $false + ``` ++## Verify DKIM signing of outbound mail from Microsoft 365 ++> [!TIP] +> Before you use the methods in this section to test DKIM signing of outbound mail, wait a few minutes after any DKIM configuration changes to allow the changes to propagate. ++Use any of the following methods to verify DKIM signing of outbound email from Microsoft 365: -## Next steps: After you set up DKIM for Microsoft 365 -<a name="DKIMNextSteps"> </a> +- **Send test messages and view the related header fields from the message header in the destination email system**: -**Although DKIM is designed to help prevent spoofing, DKIM works better with SPF and DMARC.** + 1. Send a message from an account within your Microsoft 365 DKIM-enabled domain to a recipient in another email system (for example, outlook.com or gmail.com). -Once you have set up DKIM, if you have not already set up SPF you should do so. For a quick introduction to SPF and to get it configured quickly, see [**Set up SPF in Microsoft 365 to help prevent spoofing**](email-authentication-spf-configure.md). For a more in-depth understanding of how Microsoft 365 uses SPF, or for troubleshooting or non-standard deployments such as hybrid deployments, start with [How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](email-authentication-anti-spoofing.md). + > [!TIP] + > Don't send mail to AOL for DKIM testing. AOL might skip the DKIM check if the SPF check passes. -Next, see [**Use DMARC to validate email**](email-authentication-dmarc-configure.md). [Anti-spam message headers](message-headers-eop-mdo.md) includes the syntax and header fields used by Microsoft 365 for DKIM checks. + 2. In the destination mailbox, view the message header. For example: + - [View internet message headers in Outlook](https://support.microsoft.com/office/cd039382-dc6e-4264-ac74-c048563d212c). + - Use the Message Header Analyzer at <https://mha.azurewebsites.net>. ++ 3. Find the **DKIM-Signature** header field in the message header. The header field looks like the following example: ++ ```text + DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=contoso.com; + s=selector1; + h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; + bh=UErATeHehIIPIXPeUAfZWiKo0w2cSsOhb9XM9ulqTX0=; + ``` ++ - **d=**: The domain that was used to DKIM sign the message. + - **s=**: The selector (public key in the DNS record in the domain) that was used to decrypt and verify the DKIM signature of the message. ++ 4. Find the **Authentication-Results** header field in the message header. Although destination email systems might use slightly different formats to stamp inbound mail, the header field should include **DKIM=pass** or **DKIM=OK**. For example: + + ```text + Authentication-Results: mx.google.com; + dkim=pass header.i=@contoso.com header.s=selector1 header.b=NaHRSJOb; + arc=pass (i=1 spf=pass spfdomain=contoso.com dkim=pass dkdomain=contoso.com dmarc=pass fromdomain=contoso.com); + spf=pass (google.com: domain of michelle@contoso.com designates 0000:000:0000:0000::000 as permitted sender) smtp.mailfrom=michelle@contoso.com + ``` ++ > [!TIP] + > The DKIM signature is omitted under either of the following conditions: + > + > - The sender and recipient email addresses are in the same domain. + > - The sender and recipient email addresses are in different domains that are controlled by the same organization. + > + > In both cases, the **DKIM-Signature** header field doesn't exist in the message header, and the **Authentication-Results** header field looks like the following example: + > + > ```text + > authentication-results: dkim=none (message not signed) + > header.d=none;dmarc=none action=none header.from=contoso.com; + > ``` ++- **Use the test in Microsoft 365 help**: This feature requires a Global Administrator account, and isn't available in Microsoft 365 Government Community Cloud (GCC), GCC High, DoD, or Office 365 operated by 21Vianet. ++ <div class="nextstepaction"> + <p><a href="https://admin.microsoft.com/AdminPortal/?searchSolutions=DKIM#/homepage" data-linktype="external">Run Tests: DKIM</a></p> + </div> ++ :::image type="content" source="../../media/email-auth-dkim-m365-test.png" alt-text="The DKIM diagnostics test in Microsoft 365 help." lightbox="../../media/email-auth-dkim-m365-test.png"::: ++## DKIM signing of mail from your custom domain at other email services ++Some email service providers or software-as-a-service providers let you enable DKIM signing for your mail that originates from the service. But, the methods depend entirely on the email service. ++> [!TIP] +> As mentioned earlier in this article, we recommend using subdomains for email systems or services that you don't directly control. ++For example, your email domain in Microsoft 365 is contoso.com, and you use the Adatum bulk mailing service for marketing email. If Adatum supports DKIM signing of messages from senders in your domain at their service, the messages might contain the following elements: ++```text +Return-Path: <communication@adatum.com> + From: <sender@marketing.contoso.com> + DKIM-Signature: s=s1024; d=marketing.contoso.com + Subject: This a message from the Adatum infrastructure, but with a DKIM signature authorized by marketing.contoso.com +``` -**This test will validate** that the DKIM signing configuration has been configured correctly, and that the proper DNS entries have been published. +In this example, the following steps are required: -> [!NOTE] -> This feature requires a Microsoft 365 administrator account. This feature isn't available for Microsoft 365 Government, Microsoft 365 operated by 21Vianet, or Microsoft 365 Germany. +1. Adatum gives Contoso a public key to use for DKIM signing of outbound Contoso mail from their service. +2. Contoso publishes the public DKIM key in DNS at the domain registrar for the marketing.contoso.com subdomain (a TXT record or a CNAME record). +3. When Adatum sends mail from senders in the marketing.contoso.com domain, the messages are DKIM signed using the private key that corresponds to the public key they gave to Contoso in the first step. +4. If the destination email system checks DKIM on inbound messages, the messages pass DKIM because they're DKIM signed. +5. If the destination email system checks DMARC on inbound messages, the domain in the DKIM signature (the **d=** value in the **DKIM-Signature** header field) matches the domain in the From address that's shown in email clients, so the messages can also pass DMARC: -<div class="nextstepaction"> -<p><a href="https://admin.microsoft.com/AdminPortal/?searchSolutions=DKIM#/homepage" data-linktype="external">Run Tests: DKIM</a></p> -</div> + **From**: sender@marketing.contoso.com<br> + **d=**: marketing.contoso.com -## More information +## Next steps -Key rotation via PowerShell: [Rotate-DkimSigningConfig](/powershell/module/exchange/rotate-dkimsigningconfig) +As described in [How SPF, DKIM, and DMARC work together to authenticate email message senders](email-authentication-about.md#how-spf-dkim-and-dmarc-work-together-to-authenticate-email-message-senders), DKIM alone isn't enough to prevent spoofing of your Microsoft 365 domain. You also need to configure SPF and DMARC for the best possible protection. For instructions, see: -[Use DMARC to validate email](/microsoft-365/security/office-365-security/email-authentication-dmarc-configure) +- [Set up SPF to help prevent spoofing](email-authentication-spf-configure.md) +- [Use DMARC to validate email](email-authentication-dmarc-configure.md) -[Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure) +For mail coming _into_ Microsoft 365, you might also need to configure trusted ARC sealers if you use services that modify messages in transit before delivery to your organization. For more information, see [Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure). |
security | Email Authentication Dkim Support About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-dkim-support-about.md | - Title: Support for validation of Domain Keys Identified Mail (DKIM) signed messages - - NOCSH ------ - MET150 -- - m365-security - - tier1 -description: Learn about the validation of DKIM signed messages in Exchange Online Protection and Exchange Online -- Previously updated : 6/15/2023-appliesto: - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> ---# Support for validation of DKIM signed messages ---Exchange Online Protection (EOP) and Exchange Online both support inbound validation of Domain Keys Identified Mail ([DKIM](https://www.rfc-editor.org/rfc/rfc6376.txt)) messages. --DKIM validates that an email message wasn't *spoofed* by someone else, and was sent from the domain it *says* it came from. It ties an email message to the organization that sent it. DKIM verification is used automatically for all messages sent with IPv6. Microsoft 365 also supports DKIM when mail is sent over IPv4. For more information about IPv6 support, see [Support for anonymous inbound email over IPv6](mail-flow-about.md#support-for-anonymous-inbound-email-over-ipv6). --DKIM validates a digitally signed message that appears in the DKIM-Signature header of the message headers. The results of a DKIM-Signature validation are stamped in the Authentication-Results header. The message header text appears similar to the following (where contoso.com is the sender): -- `Authentication-Results: <contoso.com>; dkim=pass (signature was verified) header.d=example.com;` --> [!NOTE] -> For more information about the Authentication-Results header, see RFC 7001 ([Message Header Field for Indicating Message Authentication Status](https://www.rfc-editor.org/rfc/rfc7001.txt). Microsoft's DKIM implementation conforms with this RFC. --Admins can create Exchange [mail flow rules](/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules) (also known as transport rules) on the results of DKIM validation. These mail flow rules will allow admins to filter or route messages as needed. |
security | Email Authentication Dmarc Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-dmarc-configure.md | Title: Use DMARC to validate email, setup steps f1.keywords: - NOCSH---+++ audience: ITPro Previously updated : 6/15/2023 Last updated : 1/29/2024 ms.localizationpriority: high search.appverid: - MET150 ms.assetid: 4a05898c-b8e4-4eab-bd70-ee912e349737 - m365-security - tier1-description: Learn how to configure Domain-based Message Authentication, Reporting, and Conformance (DMARC) to validate messages sent from your organization, contains information on DMARC reject or OReject. +description: Learn how to configure Domain-based Message Authentication, Reporting, and Conformance (DMARC) to validate messages sent from your organization. appliesto: appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> -# Use DMARC to validate email +# Set up DMARC to validate the From address domain for senders in Microsoft 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -Domain-based Message Authentication, Reporting, and Conformance ([DMARC](https://dmarc.org)) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders. +Domain-based Message Authentication, Reporting and Conformance (DMARC) is a method of [email authentication](email-authentication-about.md) that helps validate mail sent from your Microsoft 365 organization to prevent spoofed senders that are used in business email compromise (BEC), ransomware, and other phishing attacks. -DMARC ensures the destination email systems trust messages sent from your domain. Using DMARC with SPF and DKIM gives organizations more protection against spoofing and phishing email. DMARC helps receiving mail systems decide what to do with messages from your domain that fail SPF or DKIM checks. +You enable DMARC for a domain by creating a TXT record in DNS. DMARC validation of an email message involves the following elements: -> [!TIP] -> Visit the [Microsoft Intelligent Security Association (MISA)](https://www.microsoft.com/misapartnercatalog) catalog to view third-party vendors offering DMARC reporting for Microsoft 365. --> [!TIP] -> **Have you seen our step-by-step guides?** Configuration 1-2-3s and no frills, for admins in a hurry. Visit for the steps to *[enable DMARC Reporting for Microsoft Online Email Routing Addresses (MOERA) and parked Domains](step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains.md)*. --## How do SPF and DMARC work together to protect email in Microsoft 365? -- An email message may contain multiple originator or sender addresses. These addresses are used for different purposes. For example, consider these addresses: --- **"Mail From" address**: Identifies the sender and says where to send return notices if any problems occur with the delivery of the message (such as non-delivery notices). *Mail From address* appears in the envelope portion of an email message and isn't displayed by your email application, and is sometimes called the *5321.MailFrom address* or the *reverse-path address*.--- **"From" address**: The address displayed as the From address by your mail application. *From address* identifies the author of the email. That is, the mailbox of the person or system responsible for writing the message. The *From address* is sometimes called the *5322.From address*.--SPF uses a DNS TXT record to list authorized sending IP addresses for a given domain. Normally, SPF checks are only performed against the 5321.MailFrom address. The 5322.From address isn't authenticated when you use SPF by itself, which allows for a scenario where a user gets a message that passed SPF checks but has a spoofed 5322.From sender address. For example, consider this SMTP transcript: --```console -S: Helo woodgrovebank.com -S: Mail from: phish@phishing.contoso.com -S: Rcpt to: astobes@tailspintoys.com -S: data -S: To: "Andrew Stobes" <astobes@tailspintoys.com> -S: From: "Woodgrove Bank Security" <security@woodgrovebank.com> -S: Subject: Woodgrove Bank - Action required -S: -S: Greetings User, -S: -S: We need to verify your banking details. -S: Please click the following link to verify that Microsoft has the right information for your account. -S: -S: https://short.url/woodgrovebank/updateaccount/12-121.aspx -S: -S: Thank you, -S: Woodgrove Bank -S: . -``` --In this transcript, the sender addresses are as follows: --- Mail from address (5321.MailFrom): phish@phishing.contoso.com--- From address (5322.From): security@woodgrovebank.com--If you configured SPF, then the receiving server does a check against the Mail from address phish@phishing.contoso.com. If the message came from a valid source for the domain phishing.contoso.com, then the SPF check passes. Since the email client only displays the From address, the user sees this message came from security@woodgrovebank.com. With SPF alone, the validity of woodgrovebank.com was never authenticated. --When you use DMARC, the receiving server also performs a check against the From address. In the example above, if there's a DMARC TXT record in place for woodgrovebank.com, then the check against the From address fails. +- **Verify the domains in the MAIL FROM and FROM addresses align**: [SPF](email-authentication-spf-configure.md) and [DKIM](email-authentication-dkim-configure.md) don't require the domains in the following email addresses to "align" (match): + - **The MAIL FROM address**: The email address that's used in the transmission of the message between SMTP email servers. This address is also known as the `5321.MailFrom` address, P1 sender, or envelope sender. + - **The From address**: The email address in the **From** header field that's shown as the message sender in email clients. This address is also known as the `5322.From` address or P2 sender. -## What is a DMARC TXT record? + For more information about how these email addresses can be in different domains and used for spoofing, see [Why internet email needs authentication](email-authentication-about.md#why-internet-email-needs-authentication). -Like the DNS records for SPF, the record for DMARC is a DNS text (TXT) record that helps prevent spoofing and phishing. You publish DMARC TXT records in DNS. DMARC TXT records validate the origin of email messages by verifying the IP address of an email's author against the alleged owner of the sending domain. The DMARC TXT record identifies authorized outbound email servers. Destination email systems can then verify that messages they receive originate from authorized outbound email servers. + - DMARC uses the result from SPF to verify both of the following conditions: + - The message came from an authorized source for the domain that's used in the MAIL FROM address (the basic requirement of SPF). + - The domains in the MAIL FROM and From addresses in the message are aligned. This result effectively requires that valid sources for the message must be in the From address domain. -Microsoft's DMARC TXT record looks something like this: + - DMARC uses the result from DKIM to verify the domain that signed the message (the **d=** value in a **DKIM-Signature** header field as validated by the **s=** selector value) aligns with the domain in the From address. -```console -_dmarc.microsoft.com. 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:d@rua.contoso.com; ruf=mailto:d@ruf.contoso.com; fo=1" -``` + A message passes DMARC if one or both of the described SPF or DKIM checks pass. A message fails DMARC if both of the described SPF or DKIM checks fail. -For more third-party vendors who offer DMARC reporting for Microsoft 365, visit the [MISA catalog](https://www.microsoft.com/misapartnercatalog?IntegratedProducts=DMARCReportingforOffice365). +- **DMARC policy**: Specifies what to do with messages that fail DMARC (reject, quarantine, or no instruction). -## Set up DMARC for inbound mail +- **DMARC reports**: Specifies where to send Aggregate reports (a periodic summary of positive and negative DMARC results) and Forensic reports (also known as _Failure reports_; nearly immediate DMARC failure results similar to a non-delivery report or bounce message). -You don't have to do a thing to set up DMARC for mail that you receive in Microsoft 365. It's all taken care of. If you want to learn what happens to mail that fails to pass our DMARC checks, see [How Microsoft 365 handles inbound email that fails DMARC](#how-microsoft-365-handles-inbound-email-that-fails-dmarc). +Before we get started, here's what you need to know about DMARC in Microsoft 365 based on your email domain: -## Set up DMARC for outbound mail from Microsoft 365 +- **If you use only the Microsoft Online Email Routing Address (MOERA) domain for email (for example, contoso.onmicrosoft.com)**: Although SPF and DKIM are already configured for your \*.onmicrosoft.com domain, you need to create the DMARC TXT record for the \*.onmicrosoft.com domain in the Microsoft 365 admin center. For instructions, see [this section](#use-the-microsoft-365-admin-center-to-add-dmarc-txt-records-for-onmicrosoftcom-domains-in-microsoft-365) later in this article. For more information about \*.onmicrosoft.com domains, see [Why do I have an "onmicrosoft.com" domain?](/microsoft-365/admin/setup/domains-faq#why-do-i-have-an--onmicrosoft-com--domain). -If you use Microsoft 365 but you aren't using a custom domain (you use onmicrosoft.com), SPF is already set up for you and Microsoft 365 automatically generates a DKIM signature for your outgoing mail (for more information about this signature, see [Default behavior for DKIM and Microsoft 365](email-authentication-dkim-configure.md#DefaultDKIMbehavior)). To set up DMARC for your organization, you need to [Form the DMARC TXT record](#step-4-form-the-dmarc-txt-record-for-your-domain) for the onmicrosoft.com domain and publish it to DNS via [Office 365 Admin Center](https://admin.microsoft.com) > Settings > Domains > click on onmicrosoft.com domain > Add record. +- **If you use one or more custom domains for email (for example, contoso.com)**: If you haven't already, you need to configure SPF for all custom domains and subdomains that you use for email. You also need to configure DKIM signing using the custom domain or subdomain so the domain that's used to sign the message aligns with the domain in the From address. For instructions, see the following articles: + - [Set up SPF to help prevent spoofing](email-authentication-spf-configure.md) + - [Use DKIM to validate outbound mail from your custom domain](email-authentication-dkim-configure.md) - If you have a custom domain or are using on-premises Exchange servers along with Microsoft 365, you need to manually set up DMARC for your outbound mail. Setting up DMARC for your custom domain includes these steps: + After that, you also need to configure the DMARC TXT records for your custom domains as described in this article. You also have the following considerations: -- [Step 1: Identify valid sources of mail for your domain](#step-1-identify-valid-sources-of-mail-for-your-domain)+ - **Subdomains**: + - For email services that aren't under your direct control (for example, bulk email services), we recommend using a subdomain (for example, marketing.contoso.com) instead of your main email domain (for example, contoso.com). You don't want issues with mail sent from those email services to affect the reputation of mail sent by employees in your main email domain. For more information about adding subdomains, see [Can I add custom subdomains or multiple domains to Microsoft 365?](/microsoft-365/admin/setup/domains-faq#can-i-add-custom-subdomains-or-multiple-domains-to-microsoft-365). + - Unlike SPF and DKIM, the DMARC TXT record for a domain automatically covers all subdomains (including nonexistent subdomains) that don't have their own DMARC TXT record. In other words, you can disrupt the inheritance of DMARC on a subdomain by creating a DMARC TXT record in that subdomain. But, each subdomain requires an SPF and DKIM record for DMARC. -- [Step 2: Set up SPF for your domain](#step-2-set-up-spf-for-your-domain)+ - **If you own registered but unused domains**: If you own registered domains that aren't used for email or anything at all (also known as _parked domains_), configure the DMARC TXT records in those domains to specify that no email should ever come from those domains. **This directive includes the \*.onmicrosoft.com domain if you aren't using it for email**. -- [Step 3: Set up DKIM for your custom domain](#step-3-set-up-dkim-for-your-custom-domain)+- **DMARC checks for _inbound_ mail might need help**: If you use an email service that modifies messages in transit before delivery into Microsoft 365, you can identify the service as a trusted ARC sealer so the modified messages don't automatically fail DMARC checks. For more information, see the [Next Steps](#next-steps) section at the end of this article. -- [Step 4: Form the DMARC TXT record for your domain](#step-4-form-the-dmarc-txt-record-for-your-domain)+The rest of this article describes the DMARC TXT record that you need to create for domains in Microsoft 365, the best way to gradually and safely set up DMARC for custom domains in Microsoft 365, and how Microsoft 365 uses DMARC on _inbound_ mail. -### Step 1: Identify valid sources of mail for your domain --If you have already set up SPF, then you've already gone through this exercise. There are some further considerations for DMARC. When identifying sources of mail for your domain, answer these two questions: --- What IP addresses send messages from my domain?--- For mail sent from third parties on my behalf, will the 5321.MailFrom and 5322.From domains match?+> [!TIP] +> To create the DMARC TXT record for your **\*.onmicrosoft.com domain** in the Microsoft 365 admin center, see [this section](#use-the-microsoft-365-admin-center-to-add-dmarc-txt-records-for-onmicrosoftcom-domains-in-microsoft-365) later in this article. +> +> There are no admin portals or PowerShell cmdlets in Microsoft 365 for you to manage DMARC TXT records in your **custom** domains. Instead, you create the DMARC TXT record at your domain registrar or DNS hosting service (often the same company). +> +> We provide instructions to create the proof of domain ownership TXT record for Microsoft 365 at many domain registrars. You can use these instructions as a starting point to create DMARC TXT records. For more information, see [Add DNS records to connect your domain](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider). +> +> If you're unfamiliar with DNS configuration, contact your domain registrar and ask for help. -### Step 2: Set up SPF for your domain +## Syntax for DMARC TXT records -Now that you have a list of all your valid senders you can follow the steps to [Set up SPF to help prevent spoofing](email-authentication-spf-configure.md). +DMARC TXT records are exhaustively described in [RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489). -For example, assuming contoso.com sends mail from Exchange Online, an on-premises Exchange server whose IP address is 192.168.0.1, and a web application whose IP address is 192.168.100.100, the SPF TXT record would look like this: +The basic syntax of the DMARC TXT record for a domain in Microsoft 365 is: -```console -contoso.com IN TXT " v=spf1 ip4:192.168.0.1 ip4:192.168.100.100 include:spf.protection.outlook.com -all" -``` +**Hostname**: `_dmarc`<br/> +**TXT value**: `v=DMARC1; <DMARC policy>; <Percentage of DMARC failed mail subject to DMARC policy>; <DMARC reports>` -As a best practice, ensure that your SPF TXT record takes into account third-party senders. +Or -### Step 3: Set up DKIM for your custom domain +**Hostname**: `_dmarc`<br/> +**TXT value**: `v=DMARC1; p=<reject | quarantine | none>; pct=<0-100>; rua=mailto:<DMARCAggregateReportURI>; ruf=mailto:<DMARCForensicReportURI>` -Once you've set up SPF, you need to set up DKIM. DKIM lets you add a digital signature to email messages in the message header. If you don't set up DKIM and instead allow Microsoft 365 to use the default DKIM configuration for your domain, DMARC may fail. This failure can happen because the default DKIM configuration uses your original *onmicrosoft.com* domain as the *5321.MailFrom* address, not your *custom* domain. This creates a mismatch between the *5321.MailFrom* and the *5322.From addresses* in all the email sent from your domain. +For example: -If you have third-party senders that send mail on your behalf and the mail they send has mismatched 5321.MailFrom and 5322.From addresses, DMARC will fail for that email. To avoid this, you need to set up DKIM for your domain specifically with that third-party sender. This allows Microsoft 365 to authenticate email from this 3rd-party service. However, it also allows others, for example, Yahoo, Gmail, and Comcast, to verify email sent to them by the third-party as if it was email sent by you. This is beneficial because it allows your customers to build trust with your domain no matter where their mailbox is located, and at the same time Microsoft 365 won't mark a message as spam due to spoofing because it passes authentication checks for your domain. +**Hostname**: `_dmarc`<br/> +**TXT value**: `v=DMARC1; p=reject; pct=100; rua=mailto:rua@contoso.com; ruf=mailto:ruf@contoso.com` -For instructions on setting up DKIM for your domain, including how to set up DKIM for third-party senders so they can spoof your domain, see [Use DKIM to validate outbound email sent from your custom domain](email-authentication-dkim-configure.md). +- The hostname value `_dmarc` is required. -### Step 4: Form the DMARC TXT record for your domain +- `v=DMARC1;` identifies the TXT record as a DMARC TXT record. -Although there are other syntax options that aren't mentioned here, these are the most commonly used options for Microsoft 365. Form the DMARC TXT record for your domain in the format: +- **DMARC policy**: Tells the destination email system what to with messages that fail DMARC as described earlier in this article: + - `p=reject`: The messages should be rejected. What actually happens to the message depends on the destination email system, but the messages are typically discarded. + - `p=quarantine`: The messages should be accepted but marked. What actually happens to the message depends on the destination email system. For example, the message might be quarantined as spam, delivered to the Junk Email folder, or delivered to the Inbox with an identifier added to the Subject or message body. + - `p=none`: No suggested action for messages that fail DMARC. What happens to the message depends on the email protection features in the destination email system. You use this value for [testing and tuning of the DMARC policy](#set-up-dmarc-for-active-custom-domains-in-microsoft-365) as described later in this article. -```console -_dmarc.domain TTL IN TXT "v=DMARC1; p=policy; pct=100" -``` + > [!TIP] + > Outbound mail from domains in Microsoft 365 that fail DMARC checks by the destination email service is routed through the [High-risk delivery pool for outbound messages](outbound-spam-high-risk-delivery-pool-about.md) if the DMARC policy for the domain is `p=reject` or `p=quarantine`. There's no override for this behavior. -Where: +- **Percentage of failed DMARC mail subject to DMARC policy**: Tells the destination email system how many messages that fail DMARC (percentage) get the DMARC policy applied to them. For example, `pct=100` means all messages that fail DMARC get the DMARC policy applied to them. You use values less than 100 for [testing and tuning of the DMARC policy](#set-up-dmarc-for-active-custom-domains-in-microsoft-365) as described later in this article. If you don't use `pct=`, the default value is `pct=100`. -- *domain* is the domain you want to protect. By default, the record protects mail from the domain and all subdomains. For example, if you specify \_dmarc.contoso.com, then DMARC protects mail from the domain and all subdomains, such as housewares.contoso.com or plumbing.contoso.com.+- **DMARC reports**: + - **DMARC Aggregate report URI**: The `rua=mailto:` value identifies where to send the DMARC Aggregate report. The Aggregate report has the following properties: + - The email messages that contain the Aggregate report are typically sent once per day (the report contains the DMARC results from the previous day). The Subject line contains the destination domain that sent the report (Submitter) and the source domain for the DMARC results (Report Domain). + - The DMARC data is in an XML email attachment that's likely GZIP compressed. The XML schema is defined in [Appendix C of RFC 7489](https://datatracker.ietf.org/doc/html/rfc7489#appendix-C). The report contains the following information: + - The IP addresses of servers or services that send mail using your domain. + - Whether the servers or services pass or fail DMARC authentication. + - The actions that DMARC takes on mail that fails DMARC authentication (based on the DMARC policy). -- *TTL* should always be the equivalent of one hour. The unit used for TTL, either hours (1 hour), minutes (60 minutes), or seconds (3600 seconds), will vary depending on the registrar for your domain.+ > [!TIP] + > The information in the Aggregate report can be vast and difficult to parse. To help make sense of the data, you can use the following options for DMARC reporting: + > + > - Create automation using PowerShell or Microsoft Power BI. + > - Use an external service. For a list of services, search for DMARC in the Microsoft Intelligent Security Association (MISA) Catalog at <https://www.microsoft.com/misapartnercatalog>. The DMARC reporting services describe any custom values that are required in the DMARC TXT record. -- *pct=100* indicates that this rule should be used for 100% of email.+ - **DMARC Forensic report URI**: The `ruf=mailto:` value identifies where to send the DMARC Forensic report (also known as the DMARC Failure report). The report is generated and sent immediately after a DMARC failure like a non-delivery report (also known as an NDR or bounce message). -- *policy* specifies what policy you want the receiving server to follow if DMARC fails. You can set the policy to none, quarantine, or reject.+ > [!TIP] + > You should regularly review the DMARC Aggregate reports to monitor where email from your domains is coming from, and to check for unintentional DMARC failures (false positives). + > + > Individual destination email systems are responsible for sending DMARC reports back to you. The amount and variety of DMARC reports varies in the same way that the volume and variety of mail sent from your organization varies. For example, expect lower mail volume during holidays, and higher mail volume during organizational events. It's best to designate specific people to monitor DMARC reports, and to use a specific mailbox or Microsoft 365 Group to receive the DMARC reports (don't deliver the reports to a user's mailbox). -For information about which options to use, become familiar with the concepts in [Best practices for implementing DMARC in Microsoft 365](#best-practices-for-implementing-dmarc-in-microsoft-365). +For more information about DMARC, use the following resources: -Examples: +- The [DMARC Training Series](https://www.m3aawg.org/activities/training/dmarc-training-series) from M<sup>3</sup>AAWG (Messaging, Malware, Mobile Anti-Abuse Working Group). +- The checklist at [dmarcian](https://space.dmarcian.com/deployment/). +- Information at [DMARC.org](https://dmarc.org). -- Policy set to none+## Use the Microsoft 365 admin center to add DMARC TXT records for \*.onmicrosoft.com domains in Microsoft 365 - ```console - _dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=none" - ``` +1. In the Microsoft 365 admin center at <https://admin.microsoft.com>, select **Show all** \> **Settings** \> **Domains**. Or, to go directly to the **Domains** page, use <https://admin.microsoft.com/Adminportal/Home#/Domains>. -- Policy set to quarantine+2. On the **Domains** page, select the \*.onmicrosoft.com domain from the list by clicking anywhere in the row other than the check box next to the domain name. - ```console - _dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=quarantine" - ``` +3. On the domain details page that opens, select the **DNS records** tab. -- Policy set to reject+4. On the **DNS records** tab, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add record**. - ```console - _dmarc.contoso.com 3600 IN TXT "v=DMARC1; p=reject" - ``` +5. On the **Add a custom DNS record** flyout that opens, configure the following settings: + - **Type**: Verify that **TXT (Text)** is selected. + - **TXT name**: Enter `_dmarc`. + - **TXT value**: Enter `v=DMARC1; p=reject`. -Once you've formed your record, you need to update the record at your domain registrar. + > [!TIP] + > To specify destinations for the DMARC Aggregate and DMARC Forensic reports, use the syntax `v=DMARC1; p=reject rua=mailto:<emailaddress>; ruf=mailto:<emailaddress>`. For example, `v=DMARC1; p=reject rua=mailto:rua@contoso.onmicrosoft.com; ruf=mailto:ruf@contoso.onmicrosoft.com`. + > + > DMARC reporting vendors in the MISA Catalog at <https://www.microsoft.com/misapartnercatalog> make it easier to view and interpret DMARC results. -## DMARC Mail + - **TTL**: Verify that **1 hour** is selected. -> [!CAUTION] -> Mails may not be sent out daily. + When you're finished on the **Add a custom DNS record** flyout, select **Save**. -In this example DMARC TXT record: `dmarc.microsoft.com. 3600 IN TXT "v=DMARC1; p=none; pct=100; rua=mailto:d@rua.example.com; ruf=mailto:d@ruf.example.com; fo=1"`, you can see the *rua* address. This address is used to send 'aggregate feedback' for analysis, which is used to generate a report. +## Set up DMARC for active custom domains in Microsoft 365 > [!TIP]-> Visit the [MISA catalog](https://www.microsoft.com/misapartnercatalog) to view more third-party vendors offering DMARC reporting for Microsoft 365. See [IETF.org's 'Domain-based Message Authentication, Reporting, and Conformance (DMARC)'](https://datatracker.ietf.org/doc/html/rfc7489) for more information on DMARC 'rua' addresses. --## Best practices for implementing DMARC in Microsoft 365 --You can implement DMARC gradually without impacting the rest of your mail flow. Create and implement a roll-out plan that follows these steps. Do each of these steps first with a sub-domain, then other sub-domains, and finally with the top-level domain in your organization before moving on to the next step. --1. Monitor the impact of implementing DMARC +> As mentioned previously in this article, you need to [create SPF TXT records](email-authentication-spf-configure.md#spf-txt-records-for-custom-domains-in-microsoft-365) and [configure DKIM signing](email-authentication-dkim-configure.md#use-the-defender-portal-to-enable-dkim-signing-of-outbound-messages-using-a-custom-domain) for all custom domains and subdomains that you use to send email in Microsoft 365 _before_ you configure DMARC for custom domains or subdomains. - Start with a simple monitoring-mode record for a sub-domain or domain that requests that DMARC receivers send you statistics about messages that they see using that domain. A monitoring-mode record is a DMARC TXT record that has its policy set to none (p=none). Many companies publish a DMARC TXT record with p=none because they're unsure about how much email they may lose by publishing a more restrictive DMARC policy. +We recommend a gradual approach to setting up DMARC for your Microsoft 365 domains. The goal is to get to a `p=reject` DMARC policy for all of your custom domains and subdomains, but you need to test and verify along the way to prevent destination email systems from rejecting good mail because of unintentional DMARC failures. - You can do this even before you've implemented SPF or DKIM in your messaging infrastructure. However, you won't be able to effectively quarantine or reject mail by using DMARC until you also implement SPF and DKIM. As you introduce SPF and DKIM, the reports generated through DMARC will give the numbers and sources of messages that pass these checks, versus those that don't. You can easily see how much of your legitimate traffic is or isn't covered by them, and troubleshoot any problems. You'll also begin to see how many fraudulent messages are being sent, and where they're sent from. +Your DMARC roll-out plan should use the following steps. Start with a domain or subdomain with low mail volume and/or fewer potential email sources (less chance of legitimate mail from unknown sources being blocked): -2. Request that external mail systems quarantine mail that fails DMARC +1. Start with a DMARC policy of `p=none` and monitor the results for the domain. For example: - When you believe that all or most of your legitimate traffic is protected by SPF and DKIM, and you understand the impact of implementing DMARC, you can implement a quarantine policy. A quarantine policy is a DMARC TXT record that has its policy set to quarantine (p=quarantine). By doing this, you're asking DMARC receivers to put messages from your domain that fail DMARC into the local equivalent of a spam folder instead of your customers' inboxes. + **DMARC TXT record for marketing.contoso.com**: -3. Request that external mail systems not accept messages that fail DMARC + **Hostname**: `_dmarc`<br/> + **TXT value**: `v=DMARC1; p=none; pct=100; rua=mailto:rua@marketing.contoso.com; ruf=mailto:ruf@marketing.contoso.com` - The final step is implementing a reject policy. A reject policy is a DMARC TXT record that has its policy set to reject (p=reject). When you do this, you're asking DMARC receivers not to accept messages that fail the DMARC checks. + The DMARC Aggregate and DMARC Forensic reports give the numbers and sources of messages that pass and fail DMARC checks. You can see how much of your legitimate mail traffic is or isn't covered by DMARC, and troubleshoot any problems. You can also see how many fraudulent messages are being sent, and where they're sent from. -4. How to set up DMARC for subdomain? +2. Increase the DMARC policy to `p=quarantine` and monitor the results for the domain. - DMARC is implemented by publishing a policy as a TXT record in DNS and is hierarchical (for example, a policy published for contoso.com will apply to sub.domain.contoso.com unless a different policy is explicitly defined for the subdomain). This is useful as organizations may be able to specify a smaller number of high-level DMARC records for wider coverage. Care should be taken to configure explicit subdomain DMARC records where you don't want the subdomains to inherit the top-level domain's DMARC record. + After enough time monitoring the effects of `p=none`, you can increase the DMARC policy to `p=quarantine` for the domain. For example: - Also, you can add a wildcard-type policy for DMARC when subdomains shouldn't be sending email, by adding the `sp=reject` value. For example: + **DMARC TXT record for marketing.contoso.com**: - ```text - _dmarc.contoso.com. TXT "v=DMARC1; p=reject; sp=reject; ruf=mailto:authfail@contoso.com; rua=mailto:aggrep@contoso.com" - ``` + **Hostname**: `_dmarc`<br/> + **TXT value**: `v=DMARC1; p=quarantine; pct=100; rua=mailto:rua@marketing.contoso.com; ruf=mailto:ruf@marketing.contoso.com` -## DMARC Reject + You can also use the `pct=` value to gradually affect more messages and verify the results. For example, you can move in the following increments: -DMARC `p=reject` is a policy that's set in the DMARC TXT record by domain owners to notify service providers to *reject* email that fails DMARC. + - `pct=10` + - `pct=25` + - `pct=50` + - `pct=75` + - `pct=100` -It came about because when OReject is set as the default, rejected email was sent to quarantine in Enterprise, and to the Junk Email folder in Consumer (due to lack of quarantine in Consumer). However, with DMARC `p=reject`, the email is rejected. +3. Increase the DMARC policy to `p=reject` and monitor the results for the domain. -Configuration can be done in the Microsoft Defender portal, or by the [New-AntiPhishPolicy](/powershell/module/exchange/new-antiphishpolicy) or [Set-AntiPhishPolicy](/powershell/module/exchange/set-antiphishpolicy) cmdlets in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). For more information, see the following articles: + After enough time monitoring the effects of `p=quarantine`, you can increase the DMARC policy to `p=reject` for the domain. For example: -- [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies)-- [Configure anti-phishing policies in EOP](anti-phishing-policies-eop-configure.md)-- [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md)+ **DMARC TXT record for marketing.contoso.com**: -## How Microsoft 365 handles outbound email that fails DMARC + **Hostname**: `_dmarc`<br/> + **TXT value**: `v=DMARC1; p=reject; pct=100; rua=mailto:rua@marketing.contoso.com; ruf=mailto:ruf@marketing.contoso.com` -If a message is outbound from Microsoft 365 and fails DMARC, and you have set the policy to p=quarantine or p=reject, the message is routed through the [High-risk delivery pool for outbound messages](outbound-spam-high-risk-delivery-pool-about.md). There's no override for outbound email. + You can also use the `pct=` value to gradually affect more messages and verify the results. -If you publish a DMARC reject policy (p=reject), no other customer in Microsoft 365 can spoof your domain because messages won't be able to pass SPF or DKIM for your domain when relaying a message outbound through the service. However, if you do publish a DMARC reject policy but don't have all of your email authenticated through Microsoft 365, some of it may be marked as spam for inbound email (as described above), or it will be rejected if you don't publish SPF and try to relay it outbound through the service. This happens, for example, if you forget to include some of the IP addresses for servers and apps that send mail on behalf of your domain when you form your DMARC TXT record. +4. Repeat the previous three steps for the remaining subdomains of increasing volume and/or complexity, saving the parent domain for last. -## How Microsoft 365 handles inbound email that fails DMARC + > [!TIP] + > Blocking legitimate email in any significant volume is unacceptable to users, but it's almost inevitable that you're going to get some false positives. Go slowly and methodically deal with issues that are revealed in DMARC reporting. DMARC reporting vendors in the MISA Catalog at <https://www.microsoft.com/misapartnercatalog> make it easier to view and interpret the DMARC results. -If the DMARC policy of the sending domain is `p=reject`, [Exchange Online Protection](eop-about.md) (EOP) rejects the message by default. You can configure anti-phishing policies to honor or not honor `p=quarantine` and `p=reject` in sender DMARC policies, and specify separate actions for `p=quarantine` and `p=reject`. For more information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies). +5. As described earlier, subdomains inherit the DMARC TXT record settings of the parent domain, which can be overridden by a separate DMARC TXT record in the subdomain. When you're finished setting up DMARC in a domain and all subdomains, and the DMARC settings are effectively identical for the parent domain and all subdomains, you can eliminate the DMARC TXT records in the subdomains and rely on the single DMARC TXT record in the parent domain. -When anti-phishing policies are configured to not honor `p=quarantine` or `p=reject` in DMARC policies, messages that fail DMARC are marked as spam and aren't rejected. Users can still get these messages in their inbox through these methods: +## DMARC TXT records for parked domains in Microsoft 365 -- Users add safe senders individually by using their email client.-- Admins can use the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md#override-the-spoof-intelligence-verdict) or the [Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#create-allow-entries-for-spoofed-senders) to allow messages from the spoofed sender.-- Admins create an Exchange mail flow rule (also known as a transport rule) for all users that allows messages for those particular senders.-- Admins create an Exchange mail flow rule for all users for rejected email that fails the organization's DMARC policy.--For more information, see [Create safe sender lists](create-safe-sender-lists-in-office-365.md). --## How Microsoft 365 utilizes Authenticated Received Chain (ARC) --All hosted mailboxes in Microsoft 365 will now gain the benefit of ARC with improved deliverability of messages and enhanced anti-spoofing protection. ARC preserves the email authentication results from all participating intermediaries, or hops, when an email is routed from the originating server to the recipient mailbox. Before ARC, modifications performed by intermediaries in email routing, like forwarding rules or automatic signatures, could cause DMARC failures by the time the email reached the recipient mailbox. With ARC, the cryptographic preservation of the authentication results allows Microsoft 365 to verify the authenticity of an email's sender. --Microsoft 365 currently utilizes ARC to verify authentication results when Microsoft is the ARC Sealer, but plan to add support for third-party ARC sealers in the future. +> [!TIP] +> The recommended SPF TXT record for parked domains that don't send mail is described in [SPF TXT records for custom domains in Microsoft 365](email-authentication-spf-configure.md#spf-txt-records-for-custom-domains-in-microsoft-365). As described in [Set up DKIM to sign mail from your Microsoft 365 domain](email-authentication-dkim-configure.md), we don't recommend DKIM CNAME records for parked domains. -## Troubleshooting your DMARC implementation +1. If you have registered domains that no one on the internet should expect to receive mail from, create the following DMARC TXT record at the domain registrar for the domain: -If you've configured your domain's MX records where EOP isn't the first entry, DMARC failures won't be enforced for your domain. + **Hostname**: `_dmarc`<br/> + **TXT value**: `v=DMARC1; p=reject;` -If you're a customer, and your domain's primary MX record doesn't point to EOP, you won't get the benefits of DMARC. For example, DMARC won't work if you point the MX record to your on-premises mail server and then route email to EOP by using a connector. In this scenario, the receiving domain is one of your Accepted-Domains but EOP isn't the primary MX. For example, suppose contoso.com points its MX at itself and uses EOP as a secondary MX record, contoso.com's MX record looks like the following: + - The `pct=` value isn't included, because the default value is `pct=100`. + - The `rua=mailto:` and `ruf=mailto:` values are arguably not needed in this scenario, because no valid mail should ever come from senders in the domain. -```console -contoso.com 3600 IN MX 0 mail.contoso.com -contoso.com 3600 IN MX 10 contoso-com.mail.protection.outlook.com -``` +2. If you don't use the \*.onmicrosoft.com domain to send mail, you also need to [add the DMARC TXT record for your \*.onmicrosoft.com domain](#use-the-microsoft-365-admin-center-to-add-dmarc-txt-records-for-onmicrosoftcom-domains-in-microsoft-365). -All, or most, email will first be routed to mail.contoso.com since it's the primary MX, and then mail will get routed to EOP. In some cases, you might not even list EOP as an MX record at all and simply hook up connectors to route your email. EOP doesn't have to be the first entry for DMARC validation to be done. It just ensures the validation, to be certain that all on-premise/non-O365 servers will do DMARC checks. DMARC is eligible to be enforced for a customer's domain (not server) when you set up the DMARC TXT record, but it's up to the receiving server to actually do the enforcement. If you set up EOP as the receiving server, then EOP does the DMARC enforcement. +## DMARC for inbound mail into Microsoft 365 +- DMARC checks on mail coming into Microsoft 365 are affected by the following features in Exchange Online Protection (EOP): + - Whether [spoof intelligence](anti-phishing-policies-about.md#spoof-settings) is enabled or disabled in the anti-phishing policy that checked the message. Disabling spoof intelligence disables _implicit_ spoofing protection from [composite authentication](email-authentication-about.md#composite-authentication) checks only. + - Whether the **Honor DMARC record policy when the message is detected as spoof** setting is enabled or disabled in the anti-phishing policy that checked the message, and the specified actions based on the DMARC policy of the source domain (`p=quarantine`, or `p=reject` in the DMARC TXT record). -## For more information + For complete information, see [Spoof protection and sender DMARC policies](anti-phishing-policies-about.md#spoof-protection-and-sender-dmarc-policies). -Want more information about DMARC? These resources can help. + To see the default values for these settings in anti-phishing policies, check the setting values in the table at [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings). -- [Anti-spam message headers](message-headers-eop-mdo.md) includes the syntax and header fields used by Microsoft 365 for DMARC checks.+- Microsoft 365 doesn't send DMARC Forensic reports (also known as DMARC Failure reports), even if a valid `ruf=mailto:` address exists in the DMARC TXT record of the source domain. -- Take the [DMARC Training Series](https://www.m3aawg.org/activities/training/dmarc-training-series) from M<sup>3</sup>AAWG (Messaging, Malware, Mobile Anti-Abuse Working Group).+- Microsoft 365 sends DMARC Aggregate reports to all domains with a valid `rua=mailto:` address in the DMARC TXT records, as long as the MX record for the Microsoft 365 domain points directly to Microsoft 365. -- Use the checklist at [dmarcian](https://space.dmarcian.com/deployment/).+ If mail from the internet is routed through a third-party service or device before delivery to Microsoft 365 (the MX record points somewhere other than Microsoft 365), DMARC Aggregate reports aren't sent. This limitation includes hybrid or standalone EOP scenarios where mail is delivered to the on-premises environment before being routed to Microsoft 365 using a connector. -- Go directly to the source at [DMARC.org](https://dmarc.org).+ > [!TIP] + > When a third-party service or device sits in front of mail flowing into Microsoft 365, [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) (also known as _skip listing_) correctly identifies the source of internet messages for SPF, DKIM (if the service modifies messages), and DMARC validation. -## See also +## Troubleshooting DMARC -[How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](email-authentication-anti-spoofing.md) +You can use the following graphic to help troubleshoot DMARC authentication issues. -[**Set up SPF in Microsoft 365 to help prevent spoofing**](email-authentication-spf-configure.md) -[**Use DKIM to validate outbound email sent from your custom domain in Microsoft 365**](email-authentication-dkim-configure.md) +## Next steps -[Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure) +For mail coming _into_ Microsoft 365, you might also need to configure trusted ARC sealers if you use services that modify messages in transit before delivery to your organization. For more information, see [Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure). |
security | Email Authentication Dmarc Reports | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-dmarc-reports.md | - Title: Use DMARC Reports to protect against spoofing and phishing in Microsoft Office 365 - - NOCSH ---- Previously updated : 06/15/2023- - MET150 -- - m365-security - - tier1 -description: Read your DMARC Reports. If you set the rua tag while configuring, DMARC Reports are sent daily to the email addresses specified, which help admins and SecOps fight spoofing and phishing emails. Domain-based Message Authentication, Reporting, and Conformance (DMARC) validate messages sent from your organization, and generate reporting that highlights DMARC effectiveness. ---appliesto: - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/eop-about" target="_blank">Exchange Online Protection</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> ---# Use DMARC Reports to validate email in Microsoft Office 365 --> [!NOTE] -> If you haven't set up DMARC, the directions are [here](email-authentication-dmarc-configure.md). For an overview of email authentication including SPF, DKIM and DMARC in Microsoft Office 365, see this [topic](email-authentication-about.md). --Domain-based Message Authentication, Reporting, and Conformance (**DMARC**) helps protect against spoofing and phishing, and prevents benign messages from being marked as spam. --**DMARC Reporting** makes you aware of DMARC email authentication decisions at recipient mail server. --## Office 365 DMARC reporting --In Office 365, the DMARC reports are sent to all sender domain owners that have a valid rua address defined in their DMARC record (independent of your platform or configuration). --The only exception is where the MX record for the recipient domain doesn't directly point to Office 365. In that case no DMARC Report is sent to the sender domain owner rua address. --**Example:** --**Mailbox A** > recipient *domain contoso.com* --**Mailbox A MX record** > points to Office 365 at *contoso-com.mail.protection.outlook.com* --**Mailbox A report result** > automatically sent an aggregated DMARC report to all email sender domain owners with a valid rua address in their DMARC record. --But if the contoso.com domain's MX record points to a *different email security solution* that sits in front of Office 365, then *no DMARC aggregate reports are sent to any sender domain's rua address* (configured in their DMARC record). This is because information about the sending infrastructure is likely affected by the complex mail flow routing. --> [!NOTE] -> Microsoft currently has no plans to send forensic reports (ruf). --## What DMARC Reports do for you --It's recommended that admins set up and regularly review DMARC Reporting in their domain. --Admins should regularly read and monitor the daily DMARC reports sent in email. The reports outline what messages from the domain pass one of email authentication methods **Sender Policy Framework (SPF)**, or **DomainKeys Identified Mail (DKIM)**, and the verdict of **DMARC** authentication. --**DMARC Reports outline:** --- The servers or services sending email from your domain.-- The servers or services that pass or fail DMARC authentication.- - Note that email must also pass one of SPF or DKIM to pass DMARC. -- The actions that DMARC takes on a server that gets unauthenticated mail from your domain. The options are:- - None - - Quarantine - - Reject --DMARC reports let you know who is sending mail on your domain, and can alert you to potential spammers. Another advantage is that once most messages pass DMARC, admins can change enforcement by creating a stricter DMARC policy. This makes the environment increasingly unfriendly to spoofing and phishing. --Reviewing DMARC reports can verify that messages are sent by authorized servers, and determine whether they pass authentication checks. Over time, this will allow admins to fine tune their response, choosing from amongst reject, quarantine, or no response (none). --## Reading your DMARC Reports --When DMARC is turned on, reports are sent daily to the email address or addresses specified in your DMARC record (reports using the rua tag in the DMARC record contain the email information). --Every server that gets mail from your domain also sends back an XML DMARC report, including whether messages coming out of your domain pass or fail DMARC. You'll also see: --- Any results for SPF, DKIM, and DMARC email authentication.-- How many messages came from each IP address that day.--## Interpreting your DMARC data --> [!IMPORTANT] -> The numbers of DMARC emails varies in the same way the amount of email your domain sends does. For example, there may be lulls during holidays, and peaks during an organization's events. This can add up to a lot of reporting, so it's best to dedicate a group and mailbox to the practice of getting and analyzing these reports. --DMARC Reports can be difficult to read and interpret. Using a third-party service that specializes in DMARC, from receiving and storing this data, to analyzing and even aggregating reports, may be the answer. --Ultimately the value of your DMARC investment, how effectively it's working, and whether or not it's meeting goals comes down to analyzing the data. If your DMARC Reports are handled by a 3rd party have a discussion about your key DMARC objectives. --## More information --[**SPF**](email-authentication-spf-configure.md) SPF helps *validate* outbound email sent from your custom domain (is coming from who it says it is). --[**DKIM**](email-authentication-dkim-configure.md) email authentication's goal is to prove the contents of the mail haven't been tampered with. --[**DMARC**](email-authentication-dmarc-configure.md) email authentication's goal is to make sure that SPF and DKIM information matches the From address. --[**Configure trusted ARC sealers**](email-authentication-arc-configure.md) |
security | Email Authentication Spf Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-authentication-spf-configure.md | Title: Set up SPF to help prevent spoofing + Title: Set up SPF identify valid email sources for your Microsoft 365 domain f1.keywords: - CSH--++ Previously updated : 6/15/2023 Last updated : 1/29/2024 audience: ITPro appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> -# Set up SPF to help prevent spoofing +# Set up SPF to identify valid email sources for your Microsoft 365 domain [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -This article describes how to update a Domain Name Service (DNS) record so that you can use Sender Policy Framework (SPF) email authentication with your custom domain in Office 365. +Sender Policy Framework (SPF) is a method of [email authentication](email-authentication-about.md) that helps validate mail sent from your Microsoft 365 organization to prevent spoofed senders that are used in business email compromise (BEC), ransomware, and other phishing attacks. -SPF helps *validate* outbound email sent from your custom domain (is coming from who it says it is). It's a first step in setting up the full recommended email authentication methods of SPF, [DKIM](email-authentication-dkim-configure.md), and [DMARC](email-authentication-dmarc-configure.md). +The primary purpose of SPF is to validate email sources for a domain. Specifically, SPF uses a TXT record in DNS to identify valid sources of mail for the domain. Receiving email systems use the SPF TXT record to verify that email from the sender address used during the SMTP transmission of the message (known as the MAIL FROM address, `5321.MailFrom` address, P1 sender, or envelope sender) is from a known, designated source of mail for that domain. -- [Prerequisites](#prerequisites)-- [Create or update your SPF TXT record](#create-or-update-your-spf-txt-record)- - [How to handle subdomains?](#how-to-handle-subdomains) -- [What does SPF email authentication actually do?](#what-does-spf-email-authentication-actually-do)- - [Troubleshooting SPF](#troubleshooting-spf) -- [More information about SPF](#more-information-about-spf)+For example, if your email domain in Microsoft 365 is contoso.com, you create an SPF TXT record in DNS for the contoso.com domain to identify Microsoft 365 as an authorized source of mail from contoso.com. Destination email systems check the SPF TXT record in contoso.com to determine whether the message came from an authorized source for contoso.com email. -## Prerequisites +Before we get started, here's what you need to know about SPF in Microsoft 365 based on your email domain: -> [!IMPORTANT] -> If you are a **small business**, or are unfamiliar with IP addresses or DNS configuration, call your Internet domain registrar (ex. GoDaddy, Bluehost, web.com) & ask for help with *DNS configuration of SPF* (and any other email authentication method). <p> **If you don't use a custom URL** (and the URL used for Office 365 ends in **onmicrosoft.com**), SPF has already been set up for you in the Office 365 service. +- **If you use only the Microsoft Online Email Routing Address (MOERA) domain for email (for example, contoso.onmicrosoft.com)**: You don't need to do anything. The SPF TXT record is already configured for you. Microsoft owns the onmicrosoft.com domain, so we're responsible for creating and maintaining the DNS records in that domain and subdomains. For more information about \*.onmicrosoft.com domains, see [Why do I have an "onmicrosoft.com" domain?](/microsoft-365/admin/setup/domains-faq#why-do-i-have-an--onmicrosoft-com--domain). -Let's get started. +- **If you use one or more custom domains for email (for example, contoso.com)**: The Microsoft 365 enrollment process already required you to create or modify the SPF TXT record in DNS for your custom domain to identify Microsoft 365 as an authorized mail source. But, you still have more work to do for maximum email protection: + - **Subdomain considerations**: + - For email services that aren't under your direct control (for example, bulk email services), we recommend using a subdomain (for example, marketing.contoso.com) instead of your main email domain (for example, contoso.com). You don't want issues with mail sent from those email services to affect the reputation of mail sent by employees in your main email domain. For more information about adding subdomains, see [Can I add custom subdomains or multiple domains to Microsoft 365?](/microsoft-365/admin/setup/domains-faq#can-i-add-custom-subdomains-or-multiple-domains-to-microsoft-365). + - Each subdomain that you use to send email from Microsoft 365 requires its own SPF TXT record. For example, the SPF TXT record for contoso.com doesn't cover marketing.contoso.com; marketing.contoso.com needs its own SPF TXT record. -The SPF TXT record for Office 365 will be made in external DNS for any custom domains or subdomains. You need some information to make the record. Gather this information: + > [!TIP] + > Email authentication protection for _undefined_ subdomains is covered by DMARC. Any subdomains (defined or not) inherit the DMARC settings of the parent domain (which can be overridden per subdomain). For more information, see [Set up DMARC to validate the From address domain for senders in Microsoft 365](email-authentication-dmarc-configure.md). -- The SPF TXT record for your custom domain, if one exists. For instructions, see [Gather the information you need to create Office 365 DNS records](/microsoft-365/admin/get-help-with-domains/information-for-dns-records).+ - **If you own registered but unused domains**: If you own registered domains that aren't used for email or anything at all (also known as _parked domains_), configure SPF TXT records to indicate that no email should ever come from those domains as described later in this article. -- Go to your messaging server(s) and find out the External IP addresses (needed from all on-premises messaging servers). For example, **131.107.2.200**.+- **SPF alone is not enough**. For the best level of email protection for your custom domains, you also need to configure DKIM and DMARC as part of your overall [email authentication](email-authentication-about.md) strategy. For more information, see the [Next Steps](#next-steps) section at the end of this article. -- Domain names to use for all third-party domains that you need to include in your SPF TXT record. Some bulk mail providers have set up subdomains to use for their customers. For example, the company MailChimp has set up **servers.mcsv.net**.+ > [!IMPORTANT] + > In complex organizations where it's difficult to identify all valid sources of mail for the domain, it's important that you quickly configure DKIM signing and DMARC (in 'take no action' mode) for the domain. A DMARC reporting service is very helpful for identifying email sources and SPF failures for the domain. -- Figure out what enforcement rule you want to use for your SPF TXT record. The **-all** rule is recommended. For detailed information about other syntax options, see [SPF TXT record syntax for Microsoft 365](email-authentication-anti-spoofing.md#spf-txt-record-syntax-for-microsoft-365).+The rest of this article describes the SPF TXT records that you need to create for custom domains in Microsoft 365. -> [!IMPORTANT] -> In order to use a custom domain, Office 365 requires that you add a Sender Policy Framework (SPF) TXT record to your DNS record to help prevent spoofing. +> [!TIP] +> There are no admin portals or PowerShell cmdlets in Microsoft 365 for you to manage SPF records in your domain. Instead, you create the SPF TXT record at your domain registrar or DNS hosting service (often the same company). +> +> We provide instructions to create the proof of domain ownership TXT record for Microsoft 365 at many domain registrars. You can use these instructions as a starting point to create the SPF TXT record value. For more information, see [Add DNS records to connect your domain](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider). +> +> If you're unfamiliar with DNS configuration, contact your domain registrar and ask for help. -## Create or update your SPF TXT record +## Syntax for SPF TXT records -1. Ensure that you're familiar with the SPF syntax in the following table. +SPF TXT records are exhaustively described in [RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208). - |Element|If you're using...|Common for customers?|Add this...| - ||||| - |1|Any email system (required)|Common. All SPF TXT records start with this value|`v=spf1`| - |2|Exchange Online|Common|`include:spf.protection.outlook.com`| - |3|Exchange Online dedicated only|Not common|`ip4:23.103.224.0/19` <br> `ip4:206.191.224.0/19` <br> `ip4:40.103.0.0/16` <br> `include:spf.protection.outlook.com`| - |4|Office 365 Germany, Microsoft Cloud Germany only|Not common|`include:spf.protection.outlook.de`| - |5|Third-party email system|Not common|`include:<domain_name>` <p> \<domain_name\> is the domain of the third-party email system.| - |6|On-premises email system. For example, Exchange Online Protection plus another email system|Not common|Use one of these for each additional mail system: <p> `ip4:<IP_address>` <br> `ip6:<IP_address>` <br> `include:<domain_name>` <p> \<IP_address\> and \<domain_name\> are the IP address and domain of the other email system that sends mail on behalf of your domain.| - |7|Any email system (required)|Common. All SPF TXT records end with this value|`<enforcement rule>` <p> This can be one of several values. We recommend the value `-all`.| +The basic syntax of the SPF TX record for a custom domain in Microsoft 365 is: -2. If you haven't already done so, form your SPF TXT record by using the syntax from the table. +```txt +v=spf1 <valid mail sources> <enforcement rule> +``` - For example, if you are hosted entirely in Office 365, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 2, and 7 and would look like this: +Or: - ```text - v=spf1 include:spf.protection.outlook.com -all - ``` +```text +v=spf1 [<ip4>|<ip6>:<PublicIPAddress1> <ip4>|<ip6>:<PublicIPAddress2>... <ip4>|<ip6>:<PublicIPAddressN>] [include:<DomainName1> include:<DomainName1>... include:<DomainNameN>] <-all | ~all> +``` - **The example above is the most common SPF TXT record**. This record works for just about everyone, regardless of whether your Microsoft datacenter is located in the United States, or in Europe (including Germany), or in another location. +For example: - However, if you bought Office 365 Germany, part of Microsoft Cloud Germany, you should use the include statement from line 4 instead of line 2. For example, if you are hosted entirely in Office 365 Germany, that is, you have no on-premises mail servers, your SPF TXT record would include rows 1, 4, and 7 and would look like this: +```text +v=spf1 ip4:192.168.0.10 ip4:192.168.0.12 include:spf.protection.outlook.com -all +``` - ```text - v=spf1 include:spf.protection.outlook.de -all - ``` +- `v=spf1` identifies the TXT record as an SPF TXT record. - If you're already deployed in Office 365 and have set up your SPF TXT records for your custom domain, and you're migrating to Office 365 Germany, you need to update your SPF TXT record. To do this, change `include:spf.protection.outlook.com` to `include:spf.protection.outlook.de`. +- **Valid mail sources**: Specified valid sources of mail for the domain. Uses **Domains**, **IP addresses**, or both: + - **Domains**: `include:` values specify other services or domains as valid sources of mail from the original domain. These values ultimately lead to an IP address using DNS lookups. -3. Once you have formed your SPF TXT record, you need to update the record in DNS. **You can only have one SPF TXT record for a domain.** If an SPF TXT record exists, instead of adding a new record, you need to update the existing record. Go to [Create DNS records for Office 365](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider), and then select the link for your DNS host. + Most Microsoft 365 organizations require `include:spf.protection.outlook.com` in the SPF TXT record for the domain. Other third-party email services often require an additional `include:` value to identify the service as a valid source of email from the original domain. -4. Test your SPF TXT record. + - **IP addresses**: An IP address value includes both of the following elements: + - The value `ipv4:` or `ipv6:` to identify the type of IP address. + - The publicly resolvable IP address of the source email system. For example: + - An individual IP address (for example, 192.168.0.10). + - An IP address range using Classless Inter-Domain Routing (CIDR) notation (for example 192.168.0.1/26). Be sure that the range isn't too big or too small. -## How to handle subdomains? + In Microsoft 365, you typically use IP addresses in the SPF TXT record only if you have on-premises email servers that send mail from the Microsoft 365 domain (for example, [Exchange Server hybrid deployments](/exchange/exchange-hybrid)). Some third-party email services might also use an IP address range instead of an `include:` value in the SPF TXT record. -It's important to note that *you need to create a separate record for each subdomain as subdomains don't inherit the SPF record of their top-level domain*. +- **Enforcement rule**: Tells destination email systems what to do with messages from sources that aren't specified in the SPF TXT record for the domain. Valid values are: + - `-all` (hard fail): Sources not specified in the SPF TXT record aren't authorized to send mail for the domain, so the messages should be rejected. What actually happens to the message depends on the destination email system, but the messages are typically discarded. + + For Microsoft 365 domains, we recommend `-all` (hard fail) because we also recommend DKIM and DMARC for the domain. The DMARC policy specifies what to do to messages that fail SPF or DKIM, and DMARC reports allow you to validate the results. -A wildcard SPF record (`*.`) is required for every domain and subdomain to prevent attackers from sending email claiming to be from non-existent subdomains. For example: + > [!TIP] + > As previously indicated, DMARC configured with a DMARC reporting service helps greatly in identifying email sources and SPF failures for the domain. -```text -*.subdomain.contoso.com. IN TXT "v=spf1 -all" -``` + - `~all` (soft fail): Sources not specified in the SPF TXT record _probably_ aren't authorized to send mail for the domain, so the messages should be accepted but marked. What actually happens to the message depends on the destination email system. For example, the message might be quarantined as spam, delivered to the Junk Email folder, or delivered to the Inbox with an identifier added to the Subject or message body. ++ Because we also recommend DKIM and DMARC for Microsoft 365 domains, the differences between `-all` (hard fail) and `~all` (soft fail) are effectively eliminated (DMARC treats either result as an SPF failure). DMARC uses SPF to confirm the domains in the MAIL FROM and From addresses align _and_ the message came from a valid source for the From domain. ++ > [!TIP] + > `?all` (neutral) is also available to suggest no specific action on messages from unidentified sources. This value is used for testing, and we don't recommend this value in production environments. ++Important points to remember: ++- Each defined domain or subdomain in DNS requires an SPF TXT record, and only one SPF record is allowed per domain or subdomain. Email authentication protection for _undefined_ subdomains is best handled by DMARC. +- You can't modify the existing SPF TXT record for the \*.onmicrosoft.com domain. +- When the destination email system checks the valid email sources in the SPF record, SPF validation fails if the check requires too many DNS lookups. For more information, see the [Troubleshooting SPF TXT records](#troubleshooting-spf-txt-records) section later in this article. ++## SPF TXT records for custom domains in Microsoft 365 ++> [!TIP] +> As previously mentioned in this article, you create the SPF TXT record for a domain or subdomain at the domain registrar for the domain. No SPF TXT record configuration is available in Microsoft 365. ++- **Scenario**: You use contoso.com for email in Microsoft 365, and Microsoft 365 is the only source of email from contoso.com. ++ **SPF TXT record for contoso.com in Microsoft 365 and Microsoft 365 Government Community Cloud (GCC)**: ++ ```text + v=spf1 include:spf.protection.outlook.com -all + ``` ++ **SPF TXT record for contoso.com in Microsoft 365 Government Community Cloud High (GCC High) and Microsoft 365 Department of Defense (DoD)**: ++ ```text + v=spf1 include:spf.protection.office365.us -all + ``` ++ **SPF TXT record for contoso.com in Microsoft 365 operated by 21Vianet** ++ ```text + v=spf1 include:spf.protection.partner.outlook.cn -all + ``` ++- **Scenario**: You use contoso.com for email in Microsoft 365, and you already configured the SPF TXT record in contoso.com with all sources of email from the domain. You also own the domains contoso.net and contoso.org, but you don't use them for email. You want to specify that no one is authorized to send email from contoso.net or contoso.org. ++ **SPF TXT record for contoso.net**: -## Troubleshooting SPF + ```txt + v=spf1 -all + ``` -Having trouble with your SPF TXT record? See [Troubleshooting: Best practices for SPF in Microsoft 365](email-authentication-anti-spoofing.md#troubleshooting-best-practices-for-spf-in-microsoft-365). + **SPF TXT record for contoso.org**: -## What does SPF email authentication actually do? + ```txt + v=spf1 -all + ``` -SPF identifies which mail servers are allowed to send mail on your behalf. Basically, SPF, along with DKIM, DMARC, and other technologies supported by Office 365, help prevent spoofing and phishing. SPF is added as a TXT record that is used by DNS to identify which mail servers can send mail on behalf of your custom domain. Recipient mail systems refer to the SPF TXT record to determine whether a message from your custom domain comes from an authorized messaging server. +- **Scenario**: You use contoso.com for email in Microsoft 365. You plan on sending mail from the following sources: + - An on-premises email server with the external email address of 192.168.0.10. Because you have direct control over this email source, we consider it OK to use the server for senders in the contoso.com domain. + - The Adatum bulk mailing service. Because you don't have direct control over this email source, we recommend using a subdomain, so you create marketing.contoso.com for that purpose. According to the Adatum service documentation, you need to add `include:servers.adatum.com` to the SPF TXT record for your domain. -For example, let's say that your custom domain contoso.com uses Office 365. You add an SPF TXT record that lists the Office 365 messaging servers as legitimate mail servers for your domain. When the receiving messaging server gets a message from joe@contoso.com, the server looks up the SPF TXT record for contoso.com and finds out whether the message is valid. If the receiving server finds out that the message comes from a server other than the Office 365 messaging servers listed in the SPF record, the receiving mail server can choose to reject the message as spam. + **SPF TXT record for contoso.com**: -Also, if your custom domain does not have an SPF TXT record, some receiving servers may reject the message outright. This is because the receiving server cannot validate that the message comes from an authorized messaging server. + ```text + v=spf1 ipv4:192.168.0.10 include:spf.protection.outlook.com -all + ``` -If you've already set up mail for Office 365, then you have already included Microsoft's messaging servers in DNS as an SPF TXT record. However, there are some cases where you may need to update your SPF TXT record in DNS. For example: + **SPF TXT record for marketing.contoso.com**: -- Previously, you had to add a different SPF TXT record to your custom domain if you were using SharePoint Online. This is no longer required. This change should reduce the risk of SharePoint Online notification messages ending up in the Junk Email folder. Update your SPF TXT record if you are hitting the 10 lookup limit and receiving errors that say things like, "exceeded the lookup limit" and "too many hops".+ ```text + v=spf1 include:servers.adatum.com include:spf.protection.outlook.com -all + ``` -- If you have a hybrid environment with Office 365 and Exchange on-premises.+## Troubleshooting SPF TXT records -- You intend to set up DKIM and DMARC (recommended).+- **One SPF record per domain or subdomain**: Multiple SPF TXT records for the same domain or subdomain cause a DNS lookup loop that makes SPF fail, so use only one SPF record per domain or subdomain. -## More information about SPF +- **Less than 10 DNS lookups**: When destination email systems query the SPF TXT record for valid sources for the MAIL FROM address domain, the query scans through the IP addresses and `include:` statements in the record until the message source (ultimately, an IP address) matches one of the specified sources. If the number of DNS lookups (which can be different than the number of DNS _queries_) is greater than 10, the message fails SPF with a permanent error (also known as a `permerror`). The destination email system rejects the message in a non-delivery report (also known as an NDR or _bounce message_) with one of the following errors: + - The message exceeded the hop count. + - The message required too many lookups. -For advanced examples, a more detailed discussion about supported SPF syntax, spoofing, troubleshooting, and how Office 365 supports SPF, see [How SPF works to prevent spoofing and phishing in Microsoft 365](email-authentication-anti-spoofing.md#how-spf-works-to-prevent-spoofing-and-phishing-in-microsoft-365). + In the SPF TXT record, individual IP addresses or IP address ranges don't cause DNS lookups. Each `include:` statement requires at least one DNS lookup, and more lookups might be required if the `include:` value points to nested resources. In other words, having less than 10 `include:` statements doesn't guarantee less than 10 DNS lookups. -## Next Steps: DKIM and DMARC + Also keep in mind: destination email systems evaluate the sources in the SPF TXT record from left to right. Evaluation stops when the message source is validated, and no more sources are checked. Therefore, an SPF TXT record might contain enough information to cause more than 10 DNS lookups, but the validation of some mail sources by some destinations doesn't go deep enough in the record to result in an error. - SPF is designed to help prevent spoofing, but there are spoofing techniques that SPF can't protect against. To defend against these, once you've set up SPF, you should configure DKIM and DMARC for Office 365. + In addition to preserving the reputation of your main email domain, not exceeding the number of DNS lookups is another reason to use subdomains for other email services that you don't control. -[**DKIM**](email-authentication-dkim-configure.md) email authentication's goal is to prove the contents of the mail haven't been tampered with. +You can use free online tools to view your SPF TXT record and other DNS records for your domain. Some tools even calculate the number of DNS record lookups that your SPF TXT record requires. -[**DMARC**](email-authentication-dmarc-configure.md) email authentication's goal is to make sure that SPF and DKIM information matches the From address. +## Next Steps - For advanced examples and a more detailed discussion about supported SPF syntax, see [How SPF works to prevent spoofing and phishing in Office 365](email-authentication-anti-spoofing.md#how-spf-works-to-prevent-spoofing-and-phishing-in-microsoft-365). +As described in [How SPF, DKIM, and DMARC work together to authenticate email message senders](email-authentication-about.md#how-spf-dkim-and-dmarc-work-together-to-authenticate-email-message-senders), SPF alone isn't enough to prevent spoofing of your Microsoft 365 domain. You also need to configure DKIM and DMARC for the best possible protection. For instructions, see: -[Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure) +- [Use DKIM to validate outbound email sent from your custom domain](email-authentication-dkim-configure.md) +- [Use DMARC to validate email](email-authentication-dmarc-configure.md) -*Select 'This page' under 'Feedback' if you have feedback on this documentation.* +For mail coming _into_ Microsoft 365, you might also need to configure trusted ARC sealers if you use services that modify messages in transit before delivery to your organization. For more information, see [Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure). |
security | Mdo Deployment Guide | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-deployment-guide.md | To configure EOP and Defender for Office 365 features, you need permissions. The ## Step 1: Configure email authentication for your Microsoft 365 domains -**Summary**: Configure [SPF](email-authentication-spf-configure.md), [DKIM](email-authentication-dkim-configure.md), and [DMARC](email-authentication-dmarc-configure.md) records (in that order) for all custom Microsoft 365 domains (including parked domains and all subdomains). If necessary, configure any [trusted ARC sealers](email-authentication-arc-configure.md). +**Summary**: Configure [SPF](email-authentication-spf-configure.md), [DKIM](email-authentication-dkim-configure.md), and [DMARC](email-authentication-dmarc-configure.md) records (in that order) for all custom Microsoft 365 domains (including parked domains and subdomains). If necessary, configure any [trusted ARC sealers](email-authentication-arc-configure.md). **Details**: Email authentication (also known as _email validation_) is a group of standards to verify that email messages are legitimate, unaltered, and come from expected sources for the sender's email domain. For more information, see [Email authentication in EOP](email-authentication-about.md). -We'll proceed with the assumption that you're using one or more [custom domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) (for example @contoso.com) in Microsoft 365 for email, so you need to create specific email authentication DNS records for each custom domain that you're using for email. +We'll proceed with the assumption that you're using one or more [custom domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in Microsoft 365 for email (for example contoso.com) , so you need to create specific email authentication DNS records for each custom domain that you're using for email. Create the following email authentication DNS records at your DNS registrar or DNS hosting service for each custom domain that you use for email in Microsoft 365: -- **Sender Policy Framework (SPF)**: The SPF TXT record identifies valid sources for email from senders in the domain. For instructions, see [Set up SPF to help prevent spoofing](email-authentication-spf-configure.md).+- **Sender Policy Framework (SPF)**: The SPF TXT record identifies valid sources of email from senders in the domain. For instructions, see [Set up SPF to help prevent spoofing](email-authentication-spf-configure.md). -- **DomainKeys Identified Mail (DKIM)**: DKIM encrypts a signature within the message header that survives message forwarding. For instructions, see [Use DKIM to validate outbound email sent from your custom domain](email-authentication-dkim-configure.md).+- **DomainKeys Identified Mail (DKIM)**: DKIM signs outbound messages and stores the signature in the message header that survives message forwarding. For instructions, see [Use DKIM to validate outbound email sent from your custom domain](email-authentication-dkim-configure.md). -- **Domain-based Message Authentication, Reporting, and Conformance (DMARC)**: DMARC helps destination email servers decide what to do with messages from the custom domain that fail SPF and DKIM checks. Be sure to include `p=reject` or `p=quarantine` policies in the DMARC records. for instructions, see [Set up DMARC for outbound mail from Microsoft 365](email-authentication-dmarc-configure.md#set-up-dmarc-for-outbound-mail-from-microsoft-365).+- **Domain-based Message Authentication, Reporting, and Conformance (DMARC)**: DMARC helps destination email servers decide what to do with messages from the custom domain that fail SPF and DKIM checks. Be sure to include the DMARC policy (`p=reject` or `p=quarantine`) and DMARC report destinations (aggregate and forensic reports) in the DMARC records. for instructions, see [Use DMARC to validate email](email-authentication-dmarc-configure.md). -- **Authenticated Received Chain (ARC)**: If you use third-party services that modify message in transit, you can configure the services as _trusted ARC sealers_ so the modified messages can still pass email authentication checks (if the service supports it). For instructions, see [Configure trusted ARC sealers](email-authentication-arc-configure.md).+- **Authenticated Received Chain (ARC)**: If you use third-party services that modify _inbound_ messages in transit before delivery to Microsoft 365, you can identify the services as _trusted ARC sealers_ (if they support it) so the modified messages don't automatically fail email authentication checks in Microsoft 365. For instructions, see [Configure trusted ARC sealers](email-authentication-arc-configure.md). -If you're using the @\*.onmicrosoft.com domain for email (also known as the Microsoft Online Email Routing Address or MOERA domain), there's not nearly as much for you to do: +If you're using the \*.onmicrosoft.com domain for email (also known as the Microsoft Online Email Routing Address or MOERA domain), there's not nearly as much for you to do: -- **SPF**: An SPF record is already configured for the \<domain\>.onmicrosoft.com domain.-- **DKIM**: A DKIM record is already configured for the \<domain\>.onmicrosoft.com domain.-- **DMARC**: You need to manually set up the DMARC record for the \<domain\>.onmicrosoft.com domain in the Microsoft 365 admin center at <https://admin.microsoft.com/Adminportal/Home#/Domains> as described in [Activate DMARC for a MOERA domain](step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains.md#activate-dmarc-for-moera-domain).+- **SPF**: An SPF record is already configured for the \*.onmicrosoft.com domain. +- **DKIM**: DKIM signing is is already configured for outbound mail using the \*.onmicrosoft.com domain, but you can also [manually customize it](email-authentication-dkim-configure.md#use-the-defender-portal-to-customize-dkim-signing-of-outbound-messages-using-the-onmicrosoftcom-domain). +- **DMARC**: You need to manually set up the DMARC record for the \*.onmicrosoft.com domain as described [here](email-authentication-dmarc-configure.md#use-the-microsoft-365-admin-center-to-add-dmarc-txt-records-for-onmicrosoftcom-domains-in-microsoft-365). ## Step 2: Configure protection policies Remember, default policies (and Built-in protection in Defender for Office 365) It's also important to realize that you aren't locked into your initial decision forever. The information in the [recommended settings tables](recommended-settings-for-eop-and-office365.md) and the [comparison table for Standard and Strict](preset-security-policies.md#policy-settings-in-preset-security-policies) should allow you to make an informed decision. But if needs, results, or circumstances change, it's not difficult to switch to a different strategy later. -**Without a compelling business need that indicates otherwise, we recommend starting with the Standard preset security policy for all users in your organization**. Preset security policies are configured with settings based years of observations in the Microsoft 365 datacenters, and should be the right choice for the majority of organizations. And, the policies are automatically updated to match the threats of the security landscape. +**Without a compelling business need that indicates otherwise, we recommend starting with the Standard preset security policy for all users in your organization**. Preset security policies are configured with settings based on years of observations in the Microsoft 365 datacenters, and should be the right choice for the majority of organizations. And, the policies are automatically updated to match the threats of the security landscape. In preset security policies, you can select the **All recipients** option to easily apply protection to all recipients in the organization. But, the intent of this step is to configure other admins to help you manage the When it comes to assigning permissions for tasks in EOP and Defender for Office 365, the following options are available: -- [Azure AD permissions](/microsoft-365/admin/add-users/about-admin-roles): These permissions apply to all workloads in Microsoft 365 (Exchange Online, SharePoint Online, Microsoft Teams, etc.).+- [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): These permissions apply to all workloads in Microsoft 365 (Exchange Online, SharePoint Online, Microsoft Teams, etc.). - [Exchange Online permissions](/exchange/permissions-exo/permissions-exo): Most tasks in EOP and Defender for Office 365 are available using Exchange Online permissions. Assigning permissions only in Exchange Online prevents administrative access in other Microsoft 365 workloads. - [Email & collaboration permissions in the Microsoft Defender portal](scc-permissions.md): Administration of some security features in EOP and Defender for Office 365 is available with Email & collaboration permissions. For example: - [Configuration analyzer](configuration-analyzer-for-security-policies.md) |
security | Message Headers Eop Mdo | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/message-headers-eop-mdo.md | The following table describes useful fields in the **X-Microsoft-Antispam** mess ## Authentication-results message header -The results of email authentication checks for SPF, DKIM, and DMARC are recorded (stamped) in the **Authentication-results** message header in inbound messages. +The results of email authentication checks for SPF, DKIM, and DMARC are recorded (stamped) in the **Authentication-results** message header in inbound messages. The **Authentication-results** header is defined in [RFC 7001](https://datatracker.ietf.org/doc/html/rfc7001). The following list describes the text that's added to the **Authentication-Results** header for each type of email authentication check: The following list describes the text that's added to the **Authentication-Resul ```text spf=pass (sender IP is 192.168.0.1) smtp.mailfrom=contoso.com+ spf=fail (sender IP is 127.0.0.1) smtp.mailfrom=contoso.com ``` The following list describes the text that's added to the **Authentication-Resul ```text dkim=pass (signature was verified) header.d=contoso.com+ dkim=fail (body hash did not verify) header.d=contoso.com ``` The following list describes the text that's added to the **Authentication-Resul ```text dmarc=pass action=none header.from=contoso.com+ dmarc=bestguesspass action=none header.from=contoso.com+ dmarc=fail action=none header.from=contoso.com+ dmarc=fail action=oreject header.from=contoso.com ``` The following table describes the fields and possible values for each email auth |Field|Description| |||-|`action`|Indicates the action taken by the spam filter based on the results of the DMARC check. For example: <ul><li>`oreject` or `o.reject`: Stands for override reject. In this case, Microsoft 365 uses this action when it receives a message that fails the DMARC check from a domain whose DMARC TXT record has a policy of `p=reject`. Instead of deleting or rejecting the message, Microsoft 365 marks the message as spam. For more information on why Microsoft 365 is configured this way, see [How Microsoft 365 handles inbound email that fails DMARC](email-authentication-dmarc-configure.md#how-microsoft-365-handles-inbound-email-that-fails-dmarc).</li><li>`pct.quarantine`: Indicates that a percentage less than 100% of messages that don't pass DMARC are delivered anyway. This result means that the message failed DMARC and the DMARC policy was set to `p=quarantine`. But, the pct field wasn't set to 100%, and the system randomly determined not to apply the DMARC action per the specified domain's DMARC policy.</li><li>`pct.reject`: Indicates that a percentage less than 100% of messages that don't pass DMARC are delivered anyway. This result means that the message failed DMARC and the DMARC policy was set to `p=reject`. But, the pct field wasn't set to 100% and the system randomly determined not to apply the DMARC action per the specified domain's DMARC policy.</li><li>`permerror`: A permanent error occurred during DMARC evaluation, such as encountering an incorrectly formed DMARC TXT record in DNS. Attempting to resend this message isn't likely to end with a different result. Instead, you might need to contact the domain's owner in order to resolve the issue.</li><li>`temperror`: A temporary error occurred during DMARC evaluation. You might be able to request that the sender resend the message later in order to process the email properly.</li></ul>| +|`action`|Indicates the action taken by the spam filter based on the results of the DMARC check. For example: <ul><li>`pct.quarantine`: Indicates that a percentage less than 100% of messages that don't pass DMARC are delivered anyway. This result means that the message failed DMARC and the DMARC policy was set to `p=quarantine`. But, the pct field wasn't set to 100%, and the system randomly determined not to apply the DMARC action per the specified domain's DMARC policy.</li><li>`pct.reject`: Indicates that a percentage less than 100% of messages that don't pass DMARC are delivered anyway. This result means that the message failed DMARC and the DMARC policy was set to `p=reject`. But, the pct field wasn't set to 100% and the system randomly determined not to apply the DMARC action per the specified domain's DMARC policy.</li><li>`permerror`: A permanent error occurred during DMARC evaluation, such as encountering an incorrectly formed DMARC TXT record in DNS. Attempting to resend this message isn't likely to end with a different result. Instead, you might need to contact the domain's owner in order to resolve the issue.</li><li>`temperror`: A temporary error occurred during DMARC evaluation. You might be able to request that the sender resend the message later in order to process the email properly.</li></ul>| |`compauth`|Composite authentication result. Used by Microsoft 365 to combine multiple types of authentication (SPF, DKIM, and DMARC), or any other part of the message to determine whether or not the message is authenticated. Uses the From: domain as the basis of evaluation.| |`dkim`|Describes the results of the DKIM check for the message. Possible values include: <ul><li>**pass**: Indicates the DKIM check for the message passed.</li><li>**fail (reason)**: Indicates the DKIM check for the message failed and why. For example, if the message wasn't signed or the signature wasn't verified.</li><li>**none**: Indicates that the message wasn't signed. This result might or might not indicate that the domain has a DKIM record or the DKIM record doesn't evaluate to a result.</li></ul>| |`dmarc`|Describes the results of the DMARC check for the message. Possible values include: <ul><li>**pass**: Indicates the DMARC check for the message passed.</li><li>**fail**: Indicates the DMARC check for the message failed.</li><li>**bestguesspass**: Indicates that no DMARC TXT record exists for the domain exists. If the domain had a DMARC TXT record, the DMARC check for the message would have passed.</li><li>**none**: Indicates that no DMARC TXT record exists for the sending domain in DNS.| |
security | How To Enable Dmarc Reporting For Microsoft Online Email Routing Address Moera And Parked Domains | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains.md | Last updated 1/31/2023 # How to enable DMARC Reporting for Microsoft Online Email Routing Address (MOERA) and parked Domains -Best practice for domain email security protection is to protect yourself from spoofing using Domain-based Message Authentication, Reporting, and Conformance (DMARC). If you haven't already enabled DMARC for your domains, that should be the first step, detailed here: [Domain-based Message Authentication, Reporting, and Conformance (DMARC)](/microsoft-365/security/office-365-security/email-authentication-dmarc-configure) +Best practice for domain email security protection is to protect yourself from spoofing using Domain-based Message Authentication, Reporting, and Conformance (DMARC). Enabling DMARC for your domains should be the first step as described here: [Domain-based Message Authentication, Reporting, and Conformance (DMARC)](/microsoft-365/security/office-365-security/email-authentication-dmarc-configure) -This guide is designed to help you configure DMARC for domains not covered by the main DMARC article. These domains include domains that you're not using for email, but could be leveraged by attackers if they remain unprotected: +This guide is designed to help you configure DMARC for domains not covered by the main DMARC article. These domains include domains that you're not using for email, but could be used by attackers if they remain unprotected: - Your `onmicrosoft.com` domain, also known as the Microsoft Online Email Routing Address (MOERA) domain. - Parked custom domains that you're currently not using for email yet. -## What you'll need +## What you need - Microsoft 365 admin center and access to your DNS provider hosting your domains. - Sufficient permissions as Global Admin to make the appropriate changes in the Microsoft 365 admin center. This guide is designed to help you configure DMARC for domains not covered by th 1. Select your tenant domain (for example, contoso.onmicrosoft.com). 1. On the page that loads, select **DNS records**. 1. Select **+ Add record**.-1. A flyout will appear on the right. Ensure that the selected Type is **TXT (Text)**. +1. A flyout opens. Ensure that the selected Type is **TXT (Text)**. 1. Add `_dmarc` as **TXT name**.-1. Add your specific DMARC value. For more information, see [Form the DMARC TXT record for your domain](../email-authentication-dmarc-configure.md#step-4-form-the-dmarc-txt-record-for-your-domain). +1. Add your specific DMARC value. For more information, see [Syntax for DMARC TXT records](../email-authentication-dmarc-configure.md#syntax-for-dmarc-txt-records). 1. Press **Save**. ## Active DMARC for parked domains Wait until the DNS changes are propagated and try to spoof the configured domain ## More Information -[Set up SPF to help prevent spoofing - Office 365 | Microsoft Docs](/microsoft-365/security/office-365-security/email-authentication-spf-configure) +[Set up SPF to help prevent spoofing](/microsoft-365/security/office-365-security/email-authentication-spf-configure). -[Use DMARC to validate email, setup steps - Office 365 | Microsoft Docs](/microsoft-365/security/office-365-security/email-authentication-dmarc-configure) +[Use DMARC to validate email, setup steps](/microsoft-365/security/office-365-security/email-authentication-dmarc-configure). |
security | Tenant Wide Setup For Increased Security | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md | The Microsoft Defender portal has capabilities for both protection and reporting As an initial step, you need to configure *email authentication* records in DNS for all custom email domains in Microsoft 365 (SPF, DKIM, and DMARC). Microsoft 365 automatically configures email authentication for the \*.onmicrosoft.com domain. For more information, see [Step 1: Configure email authentication for your Microsoft 365 domains](mdo-deployment-guide.md#step-1-configure-email-authentication-for-your-microsoft-365-domains). > [!NOTE]-> For non-standard deployments of SPF, hybrid deployments, and troubleshooting: [How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing](email-authentication-anti-spoofing.md). +> For non-standard deployments of SPF, hybrid deployments, and troubleshooting: [Set up SPF to help prevent spoofing](email-authentication-spf-configure.md). Most protection features in Exchange Online Protection (EOP) and Defender for Office 365 come with *default policy configurations*. For more information, see the table [here](mdo-deployment-guide.md#step-2-configure-protection-policies). |
security | Threat Explorer About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-about.md | Currently, we surface delivery location in the email grid and email flyout. The > > - You might see **Delivery location** as "delivered" and **Delivery location** as "unknown" if the message was delivered, but an Inbox rule moved the message to a default folder (such as Draft or Archive) instead of to the Inbox or Junk Email folder. >-> - **Latest delivery location** can be unknown if an admin/system action (such as ZAP) was attempted, but the message wasn't found. Typically, the action happens after the user moved or deleted the message. In such cases, verify the **Result/Details** column in timeline view. Look for the statement "Message moved or deleted by the user." +> - **Latest delivery location** can be "Deleted items folder" if an admin/system action (such as ZAP) was attempted, but the message wasn't found. Typically, the action happens after the user moved or deleted the message. In such cases, verify the **Result/Details** column in timeline view. Look for the statement "Message moved or deleted by the user." > [!div class="mx-imgBorder"] > :::image type="content" source="../../media/Updated_Timeline_Delivery_Location.png" alt-text="Screenshot of the delivery locations for timeline." lightbox="../../media/Updated_Timeline_Delivery_Location.png"::: |
syntex | Difference Between Document Understanding And Form Processing Model | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/difference-between-document-understanding-and-form-processing-model.md | Use the following table to see differences in custom models to help identify the | Integrate with managed metadata | Yes, by training entity extractor referencing a configured managed metadata field. | No | No | | Compliance feature integration with Microsoft Purview Information Protection | Set published retention labels.<br>Set published sensitivity labels. | Set published retention labels. <br>Set published sensitivity labels. | Set published retention labels. <br>Set published sensitivity labels. | | Supported regions| Available in all regions. | Relies on Power Platform. For information about global availability for Power Platform and AI Builder, see [Power Platform availability](https://dynamics.microsoft.com/geographic-availability/). | Relies on Power Platform. For information about global availability for Power Platform and AI Builder, see [Power Platform availability](https://dynamics.microsoft.com/geographic-availability/). |-| Transactional cost | Not applicable | For pay-as-you-go licensing, not applicable. <br>If you still have per-user licensing, uses AI Builder credits. 3,500 credits are included for each Syntex license per month. One million credits allow processing of 10,000 file pages. | For pay-as-you-go licensing, not applicable. <br>If you still have per-user licensing, uses AI Builder credits. 3,500 credits are included for each Syntex license per month. One million credits allow processing of 10,000 file pages.| +| Transactional cost | For pay-as-you-go licensing, see [pricing](syntex-pay-as-you-go-services.md). <br>For per-user licensing, not applicable. | For pay-as-you-go licensing, not applicable. <br>For per-user licensing, uses AI Builder credits. 3,500 credits are included for each Syntex license per month. One million credits allow processing of 10,000 file pages. | For pay-as-you-go licensing, not applicable. <br>For per-user licensing, uses AI Builder credits. 3,500 credits are included for each Syntex license per month. One million credits allow processing of 10,000 file pages.| | Capacity | No capacity restrictions. | Uses the default Power Platform environment (custom environments with Dataverse database supported). | Uses the default Power Platform environment (custom environments with Dataverse database supported). | | Supported languages| Supports [more than 40 languages](/ai-builder/form-processing-model-requirements#model-for-unstructured-and-free-form-documents). | Supports [more than 40 languages](/ai-builder/form-processing-model-requirements#model-for-unstructured-and-free-form-documents). | Supports [more than 100 languages](/ai-builder/form-processing-model-requirements#model-for-structured-and-semi-structured-documents). | |
syntex | Esignature Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-setup.md | For more protection, when a sender cancels a request, recipients immediately los Certain [conditional access](/entra/identity/conditional-access/overview) might determine whether external recipients (signers outside of your organization or Microsoft 365 tenant) will be able sign a document. Depending on the admin setup, external signers might not be able to access and read the document for signing. In some other cases, they might be able to access the document for signing, but the signing operation will be unsuccessful. One common way to resolve this is to add the **Microsoft eSignature Service** to the list of approved apps via the Microsoft Entra admin center. +### Microsoft Entra B2B ++Microsoft Entra B2B provides authentication and management of guests. External signers are considered as guests within your tenant. To be able to send requests to signers outside your organization, you need to enable [Microsoft Entra B2B integration for SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration#enabling-the-integration). + ### Authentication External users might need to authenticate before they're able to access a document for signing. The type of authentication required by the external recipients depends on the configuration for guest users at the SharePoint level or at the tenant level. Additionally, if the external user belongs to an organization with a Microsoft 365 tenant, it's possible for their organization's setup to affect their authentication experience when attempting to sign the document. |
syntex | Esignature Troubleshoot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-troubleshoot.md | description: Learn how to troubleshoot issues with sending, receiving, or viewin ## Unable to create a request -If you aren't able to create a signature request, check the PDF viewer settings, the collaboration settings, or the access policies. +If you aren't able to create a signature request, check the PDF viewer settings, the collaboration settings, or the access policies. Refer to the [setup page](https://learn.microsoft.com/microsoft-365/syntex/esignature-setup) to ensure the correct settings are done. Also, check that the PDF you are attempting to sign is not already electronically signed using SharePoint eSignature or any other electronic signature provider. ++> [!NOTE] +> New eSignature requests can't be started from documents that have been previously signed. You need to choose another document to create the request. ### Default program for PDF viewing |
syntex | Translation Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/translation-overview.md | Microsoft Syntex lets you easily create a translated copy of a selected file or ![Screenshot showing a document library with translated documents.](../media/content-understanding/translation-sample-library.png) -This feature lets you translate files of different types either manually or automatically by creating a rule. You can use custom glossaries and models to improve the quality and consistency of your translations. +This feature lets you translate files of different types either manually or automatically by creating a rule. You can also use the translation feature for translating video transcripts and closed captioning files. For more information, see [Transcript translations in Stream for SharePoint](https://prod.support.services.microsoft.com/office/microsoft-syntex-pay-as-you-go-transcript-translations-in-stream-for-sharepoint-2e34ad1b-e213-47ed-a806-5cc0d88751de). |